PHP :: Bug #80096 :: Segmentation fault with named arguments in nested call

Bug #80096	Segmentation fault with named arguments in nested call
Submitted:	2020-09-12 11:17 UTC	Modified:	2020-09-14 13:49 UTC
From:	thekid@php.net	Assigned:	nikic (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	8.0Git-2020-09-12 (Git)	OS:	Ubuntu / WSL
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	thekid@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2020-09-12 11:17 UTC] thekid@php.net

Description:
------------
Passing a function invoked with named arguments as an argument to a function results in PHP crashing with a segmentation fault.

Test script:
---------------
thekid@Surface:~/bin/php$ ./sapi/cli/php -r 'function p($arg) { echo $arg, "\n"; } p(htmlentities("The < character is encoded as &lt;", do
uble_encode: false));'
Segmentation fault

thekid@Surface:~/bin/php$ ./sapi/cli/php -v
PHP 8.0.0-dev (cli) (built: Sep 12 2020 04:33:25) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies

Expected result:
----------------
The &lt; character is encoded as &lt;

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-09-12 11:19 UTC] thekid@php.net

Program received signal SIGSEGV, Segmentation fault.
0x00005555558e6d3a in ZEND_SEND_VAR_SPEC_VAR_UNUSED_HANDLER () at /home/thekid/bin/php/Zend/zend_vm_execute.h:28375
28375                           ZVAL_COPY_VALUE(arg, varptr);
(gdb) bt
#0  0x00005555558e6d3a in ZEND_SEND_VAR_SPEC_VAR_UNUSED_HANDLER () at /home/thekid/bin/php/Zend/zend_vm_execute.h:28375
#1  execute_ex (ex=0x0) at /home/thekid/bin/php/Zend/zend_vm_execute.h:58125
#2  0x00005555558ed7df in zend_execute (op_array=<optimized out>, return_value=0x7fffffffcc80)
    at /home/thekid/bin/php/Zend/zend_vm_execute.h:59928
#3  0x0000555555873600 in zend_eval_stringl (
    str=0x555556573fc0 "function p($arg) { echo $arg, \"\\n\"; } p(htmlentities(\"The < character is encoded as &lt;\", double_encode: false));", str_len=<optimized out>, retval_ptr=0x0, string_name=0x5555560a4615 "Command line code")
    at /home/thekid/bin/php/Zend/zend_execute_API.c:1195
#4  0x00005555558737c9 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>,
    string_name=<optimized out>, handle_exceptions=<optimized out>) at /home/thekid/bin/php/Zend/zend_execute_API.c:1236
#5  0x00005555559136f3 in do_cli (argc=3, argv=0x555556573f40) at /home/thekid/bin/php/sapi/cli/php_cli.c:979
#6  0x00005555556462db in main (argc=3, argv=0x555556573f40) at /home/thekid/bin/php/sapi/cli/php_cli.c:1336

[2020-09-12 12:13 UTC] thekid@php.net

thekid@Surface:~/bin/php$ cat Zend/tests/bug80096.phpt
--TEST--
Bug #80096 (Segmentation fault with named arguments)
--FILE--
<?php
function println($arg) {
  echo $arg, "\n";
}

println(htmlentities("The < character is encoded as &lt;", double_encode: false));
?>
--EXPECT--
The &lt; character is encoded as &lt;

[2020-09-12 12:13 UTC] thekid@php.net

Related To: Bug #80096

[2020-09-12 13:14 UTC] thekid@php.net

This does not occur if instead of htmlentities, a userland function is used:

thekid@Surface:~/bin/php$ ./sapi/cli/php -r 'function html($string, $flags= 2, $double= true) { return htmlentities($string, $flags, null, $double); } function p($arg) { echo $arg, "\n"; } p(html("The < character is encoded as &lt;", double: false));'
The &lt; character is encoded as &lt;

[2020-09-14 13:42 UTC] nikic@php.net

-Assigned To: +Assigned To: nikic

[2020-09-14 13:49 UTC] nikic@php.net

-Summary: Segmentation fault with named arguments +Summary: Segmentation fault with named arguments in nested call

[2020-09-14 13:50 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=57a4a2c5a8ddd7e2f1214d5b05c270992e19451e
Log: Fixed bug #80096

[2020-09-14 13:50 UTC] nikic@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 11:01:29 2024 UTC