PHP :: Bug #79783 :: Segfault in php_str_replace

Bug #79783	Segfault in php_str_replace_common
Submitted:	2020-07-04 02:06 UTC	Modified:	2020-07-06 07:33 UTC
From:	changochen1 at gmail dot com	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	8.0Git-2020-07-04 (Git)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-07-04 02:06 UTC] changochen1 at gmail dot com

Description:
------------
In release build, it triggers an segfault:
---
MemorySanitizer:DEADLYSIGNAL
==160146==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000f8da84 bp 0x000000000000 sp 0x7ffe10b2de00 T160146)
==160146==The signal is caused by a READ memory access.
==160146==Hint: address points to the zero page.
    #0 0xf8da83 in php_str_replace_common /home/yongheng/php_clean/ext/standard/string.c:4379:3
    #1 0x1573b32 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/yongheng/php_clean/Zend/zend_vm_execute.h:1236:2
    #2 0x13ec04f in execute_ex /home/yongheng/php_clean/Zend/zend_vm_execute.h:51852:7
    #3 0x13ec844 in zend_execute /home/yongheng/php_clean/Zend/zend_vm_execute.h:56146:2
    #4 0x1337c58 in zend_execute_scripts /home/yongheng/php_clean/Zend/zend.c:1667:4
    #5 0x10c1cd7 in php_execute_script /home/yongheng/php_clean/main/main.c:2579:14
    #6 0x171abf1 in do_cli /home/yongheng/php_clean/sapi/cli/php_cli.c:958:5
    #7 0x1716fcf in main /home/yongheng/php_clean/sapi/cli/php_cli.c:1357:18
    #8 0x7f78981f4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x440309 in _start (/home/yongheng/php_clean/asan/sapi/cli/php+0x440309)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV /home/yongheng/php_clean/ext/standard/string.c:4379:3 in php_str_replace_common
==160146==ABORTING
---

In debug build, it triggers an assertion:
---
/home/yongheng/php_clean/ext/standard/string.c:4379: void php_str_replace_common(zend_execute_data *, zval *, int): Assertion `(zval_get_type(&(*(zcount))) == 10)' failed.
---

Test script:
---------------
<?
str_replace ( array () , 1.500000 , array () , DEFINED ( 678.000000 ) ) ;

Patches

Pull Requests

Pull requests:

Fix bug #79783: segfault in str_replace() (php-src/5811)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-07-05 08:41 UTC] maxsem dot wiki at gmail dot com

The following pull request has been associated:

Patch Name: Fix bug #79783: segfault in str_replace()
On GitHub:  https://github.com/php/php-src/pull/5811
Patch:      https://github.com/php/php-src/pull/5811.patch

[2020-07-06 07:33 UTC] cmb@php.net

-Status: Open +Status: Verified

[2020-07-06 07:33 UTC] cmb@php.net

Crashes as of PHP 7.4.0; doesn't trigger notice ("only variables
should be passed by reference") as of PHP 7.0.0:
<https://3v4l.org/b1psI>.

[2020-07-07 07:57 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=971e5c5186a2a2339b0dbad4f2a057a9deed5aa2
Log: Fixed bug #79783

[2020-07-07 07:57 UTC] nikic@php.net

-Status: Verified +Status: Closed

[2020-12-04 22:11 UTC] danack@php.net

Related To: Bug #80486

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 01 00:00:01 2025 UTC