|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79432 spl_autoload_call() with non-string argument violates assertion
Submitted: 2020-03-30 07:11 UTC Modified: 2020-04-27 14:18 UTC
From: wxhusst at gmail dot com Assigned:
Status: Closed Package: SPL related
PHP Version: master-Git-2020-03-30 (Git) OS: *
Private report: No CVE-ID: None
 [2020-03-30 07:11 UTC] wxhusst at gmail dot com
/mnt/d/work/fuzz/php-src/ext/spl/php_spl.c:401: void zif_spl_autoload_call(zend_execute_data *, zval *): Assertion `(executor_globals.exception)' failed.

Test script:
$a = NULL;
$b = spl_autoload_call($a,);

Expected result:

Actual result:
assert crash


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-30 07:13 UTC]
-Type: Security +Type: Bug
 [2020-03-30 08:19 UTC]
-Summary: /mnt/d/work/fuzz/php-src/ext/spl/php_spl.c:401: void zif_spl_autoload_call(zend +Summary: spl_autoload_call() with non-string argument violates assertion -Status: Open +Status: Verified -Operating System: linux +Operating System: *
 [2020-03-30 08:24 UTC]
We should move the string check into zpp, yes. The internal autoloading mechanism is always going to pass a string, so there seems to be no reason to silently ignore non-strings.
 [2020-04-27 04:46 UTC]
according to PSR-4, autoload function should never throw exception, so I think the RETURN_THROW should be fixed instead.
 [2020-04-27 14:18 UTC]
@laruence: Throwing in autoloader is fine in general, you just shouldn't throw if the class has not been found. But things like "loaded file has syntax error" or "passed argument is not a string" can still throw.
 [2020-04-27 14:22 UTC]
Automatic comment on behalf of
Log: Fixed bug #79432
 [2020-04-27 14:22 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri May 20 11:05:45 2022 UTC