Description:
------------
I am trying to improve a third-party PHP extension. I was trying to split a comma-separated string with php_explode() but it caused a segmentation fault.

I managed to find out that the segfault was caused by php_memnstr.

If its third parameter (delimiter length) is a plain number, or strlen( ZSTR_VAL(needle) ), or even needle->len, there is no segfault.

However, if it is ZSTR_LEN(delimiter), as in php_memnstr, a segfault happens. The delimiter is a properly initiated zend_string *, and its ZSTR_LEN can be output with php_printf and looks correct.

It is interesting, that the segfaults seems to happen immediately: the numerous php_prints calls above php_memnstr are not executed (as if the compiler optimises something incorrectly).

Unfortunately, I was unable to make gdb work.

PHP 7.4.10 (cli) (built: Sep  9 2020 06:36:30) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.10, Copyright (c), by Zend Technologies
    with Xdebug v2.9.6, Copyright (c) 2002-2020, by Derick Rethans


Test script:
---------------
zend_string * haystack;
haystack = zend_string_init( "1,2,3", 5, 0 );

zend_string * needle;
needle = zend_string_init( ",", 1, 0 );

// Works:
const char *p = php_memnstr(ZSTR_VAL(haystack), ZSTR_VAL(needle), 1, ZSTR_VAL(haustack) + ZSTR_LEN(haystack) );

// Also works:
const char *p = php_memnstr(ZSTR_VAL(haystack), ZSTR_VAL(needle), strlen( ZSTR_VAL(needle) ), ZSTR_VAL(haustack) + ZSTR_LEN(haystack) );

// Even this works:
const char *p = php_memnstr(ZSTR_VAL(haystack), ZSTR_VAL(needle), needle->len, ZSTR_VAL(haustack) + ZSTR_LEN(haystack) );

// Segfaults:
const char *p = php_memnstr(ZSTR_VAL(haystack), ZSTR_VAL(needle), ZSTR_LEN(needle), ZSTR_VAL(haustack) + ZSTR_LEN(haystack) );