php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80096 Segmentation fault with named arguments in nested call
Submitted: 2020-09-12 11:17 UTC Modified: 2020-09-14 13:49 UTC
From: thekid@php.net Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-09-12 (Git) OS: Ubuntu / WSL
Private report: No CVE-ID: None
 [2020-09-12 11:17 UTC] thekid@php.net
Description:
------------
Passing a function invoked with named arguments as an argument to a function results in PHP crashing with a segmentation fault.

Test script:
---------------
thekid@Surface:~/bin/php$ ./sapi/cli/php -r 'function p($arg) { echo $arg, "\n"; } p(htmlentities("The < character is encoded as &lt;", do
uble_encode: false));'
Segmentation fault

thekid@Surface:~/bin/php$ ./sapi/cli/php -v
PHP 8.0.0-dev (cli) (built: Sep 12 2020 04:33:25) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies

Expected result:
----------------
The &lt; character is encoded as &lt;

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-12 11:19 UTC] thekid@php.net
Program received signal SIGSEGV, Segmentation fault.
0x00005555558e6d3a in ZEND_SEND_VAR_SPEC_VAR_UNUSED_HANDLER () at /home/thekid/bin/php/Zend/zend_vm_execute.h:28375
28375                           ZVAL_COPY_VALUE(arg, varptr);
(gdb) bt
#0  0x00005555558e6d3a in ZEND_SEND_VAR_SPEC_VAR_UNUSED_HANDLER () at /home/thekid/bin/php/Zend/zend_vm_execute.h:28375
#1  execute_ex (ex=0x0) at /home/thekid/bin/php/Zend/zend_vm_execute.h:58125
#2  0x00005555558ed7df in zend_execute (op_array=<optimized out>, return_value=0x7fffffffcc80)
    at /home/thekid/bin/php/Zend/zend_vm_execute.h:59928
#3  0x0000555555873600 in zend_eval_stringl (
    str=0x555556573fc0 "function p($arg) { echo $arg, \"\\n\"; } p(htmlentities(\"The < character is encoded as &lt;\", double_encode: false));", str_len=<optimized out>, retval_ptr=0x0, string_name=0x5555560a4615 "Command line code")
    at /home/thekid/bin/php/Zend/zend_execute_API.c:1195
#4  0x00005555558737c9 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>,
    string_name=<optimized out>, handle_exceptions=<optimized out>) at /home/thekid/bin/php/Zend/zend_execute_API.c:1236
#5  0x00005555559136f3 in do_cli (argc=3, argv=0x555556573f40) at /home/thekid/bin/php/sapi/cli/php_cli.c:979
#6  0x00005555556462db in main (argc=3, argv=0x555556573f40) at /home/thekid/bin/php/sapi/cli/php_cli.c:1336
 [2020-09-12 12:13 UTC] thekid@php.net
thekid@Surface:~/bin/php$ cat Zend/tests/bug80096.phpt
--TEST--
Bug #80096 (Segmentation fault with named arguments)
--FILE--
<?php
function println($arg) {
  echo $arg, "\n";
}

println(htmlentities("The < character is encoded as &lt;", double_encode: false));
?>
--EXPECT--
The &lt; character is encoded as &lt;
 [2020-09-12 13:14 UTC] thekid@php.net
This does not occur if instead of htmlentities, a userland function is used:

thekid@Surface:~/bin/php$ ./sapi/cli/php -r 'function html($string, $flags= 2, $double= true) { return htmlentities($string, $flags, null, $double); } function p($arg) { echo $arg, "\n"; } p(html("The < character is encoded as &lt;", double: false));'
The &lt; character is encoded as &lt;
 [2020-09-14 13:42 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-09-14 13:49 UTC] nikic@php.net
-Summary: Segmentation fault with named arguments +Summary: Segmentation fault with named arguments in nested call
 [2020-09-14 13:50 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=57a4a2c5a8ddd7e2f1214d5b05c270992e19451e
Log: Fixed bug #80096
 [2020-09-14 13:50 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 11:01:22 2020 UTC