|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79434 PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant
Submitted: 2020-03-30 15:53 UTC Modified: 2020-03-31 07:49 UTC
From: bruno dot premont at restena dot lu Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.3.16 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: bruno dot premont at restena dot lu
New email:
PHP Version: OS:


 [2020-03-30 15:53 UTC] bruno dot premont at restena dot lu
- PHP-7.3.15-r1
- PHP-7.4.3-r1
Not affected:
- PHP-7.2.28-r1

For all of them, pecl-radius 1.4.0_beta is loaded.

Accessing constants defined by pecl-radius (which are defined as being case-insensitive) in namespaced manner causes PHP to crash (SEGFAULT on 0x01, 1byte within a NULL-pointer).
Accessing the same constant in non-namespaced manner works as expected.

Marking all pecl-radius constants case-sensistive also prevents the crash.

Could not reproduce the same crash with TRUE/FALSE PHP-core constants which are case-insensitive as well.

Test script:
# following line works:

# following alternate line crashes:

Actual result:
Backtrace captured with php-cli-7.3.15-r1 (Gentoo)

Code at zend_execute.c:3373 would be:
  is_deprecated = memcmp(ZSTR_VAL(c->name) + shortname_offset, Z_STRVAL_P(orig_key - 1) + shortname_offset, shortname_len) != 0;

#0  0xf6dc4f60 in ?? () from /libx32/
No symbol table info available.
#1  0x569b632d in _zend_quick_get_constant (check_defined_only=0, flags=<optimized out>, key=0xf4c8d0a0) at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_execute.c:3373
        ns_sep = <optimized out>
        shortname_offset = <optimized out>
        shortname_len = <optimized out>
        is_deprecated = <optimized out>
        zv = <optimized out>
        orig_key = <optimized out>
        c = 0x57426c90
        zv = <optimized out>
        orig_key = <optimized out>
        c = <optimized out>
        actual = <optimized out>
        __z = <optimized out>
        __s = <optimized out>
        __z = <optimized out>
        __s = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
        _w2 = <optimized out>
        ns_sep = <optimized out>
        shortname_offset = <optimized out>
        shortname_len = <optimized out>
        is_deprecated = <optimized out>
        access_key = <optimized out>
#2  zend_quick_get_constant (key=<optimized out>, flags=<optimized out>) at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_execute.c:3394
No locals.
#3  0x569f7de6 in ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER () at /var/tmp/portage/dev-lang/php-7.3.15-r1/work/sapis-build/cli/Zend/zend_vm_execute.h:32077
        c = 0x1
        c = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
        _w2 = <optimized out>


WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch (last revision 2020-03-31 06:43 UTC by bruno dot premont at restena dot lu)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-31 06:43 UTC] bruno dot premont at restena dot lu
The following patch has been added/updated:

Patch Name: WORKAROUND_Mark-pecl-radius-consts-case-sensitive.patch
Revision:   1585636995
 [2020-03-31 07:49 UTC]
-Status: Open +Status: Verified -Package: Variables related +Package: Scripting Engine problem
 [2020-03-31 07:49 UTC]
I can confirm the issue; the segfault happens as of commit

Thanks for the radius patch!  While I think it would be reasonable
to make the constant case-sensitive in radius, we still need to
fix the engine crashing on qualified case-insensitive constants.

[1] <;a=commit;h=88dd38ee814f242befa7f9f40599b7b22b5ff8c8>
 [2020-04-02 14:36 UTC]
Automatic comment on behalf of
Log: Fixed bug #79434
 [2020-04-02 14:36 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Apr 21 21:01:24 2021 UTC