Fix GH-13827: Null pointer access of type 'zval' in phpdbg_frame

We don't always have the line and filename in a backtrace frame, but phpdbg assumes we do. Closes GH-13831.
2024-09-21 09:57:23 +00:00 · 2024-03-29 00:38:15 +01:00 · 2024-03-29 00:38:15 +01:00 · d3f1f3ab40
commit d3f1f3ab40
parent 100258ffd6
3 changed files with 45 additions and 2 deletions
--- a/4
+++ b/4
@ -10,6 +10,10 @@ PHP                                                                        NEWS
  . Fixed bug GH-10495 (feof on OpenSSL stream hangs indefinitely).
    (Jakub Zelenka)

+- PHPDBG:
+  . Fixed bug GH-13827 (Null pointer access of type 'zval' in phpdbg_frame).
+    (nielsdos)
+
 - Streams:
  . Fixed bug GH-13264 (Part 1 - Memory leak on stream filter failure).
    (Jakub Zelenka)
--- a/sapi/phpdbg/phpdbg_frame.c
+++ b/sapi/phpdbg/phpdbg_frame.c
@ -274,7 +274,8 @@ void phpdbg_dump_backtrace(size_t num) /* {{{ */
 	Z_STR(startfile) = zend_string_init(startfilename, strlen(startfilename), 0);

 	zend_hash_internal_pointer_reset_ex(Z_ARRVAL(zbacktrace), &position);
-	tmp = zend_hash_get_current_data_ex(Z_ARRVAL(zbacktrace), &position);
+
+	zval *function_name = NULL;
 	while ((tmp = zend_hash_get_current_data_ex(Z_ARRVAL(zbacktrace), &position))) {
 		if (file) { /* userland */
 			phpdbg_out("frame #%d: ", i);
@ -289,10 +290,18 @@ void phpdbg_dump_backtrace(size_t num) /* {{{ */

 		file = zend_hash_str_find(Z_ARRVAL_P(tmp), ZEND_STRL("file"));
 		line = zend_hash_str_find(Z_ARRVAL_P(tmp), ZEND_STRL("line"));
+		function_name = zend_hash_find(Z_ARRVAL_P(tmp), ZSTR_KNOWN(ZEND_STR_FUNCTION));
+
 		zend_hash_move_forward_ex(Z_ARRVAL(zbacktrace), &position);
 	}

-	phpdbg_writeln("frame #%d: {main} at %s:"ZEND_LONG_FMT, i, Z_STRVAL_P(file), Z_LVAL_P(line));
+	/* This is possible for fibers' start closure for example, which have a frame that doesn't contain the info
+	 * of which location stated the fiber if that stack frame is already torn down. same behaviour with debug_backtrace(). */
+	if (file == NULL) {
+		phpdbg_writeln(" => %s (internal function)", Z_STRVAL_P(function_name));
+	} else {
+		phpdbg_writeln("frame #%d: {main} at %s:"ZEND_LONG_FMT, i, Z_STRVAL_P(file), Z_LVAL_P(line));
+	}

 	zval_ptr_dtor_nogc(&zbacktrace);
 	zend_string_release(Z_STR(startfile));
--- a/sapi/phpdbg/tests/gh13827.phpt
+++ b/sapi/phpdbg/tests/gh13827.phpt
@ -0,0 +1,30 @@
+--TEST--
+GH-13827 (Null pointer access of type 'zval' in phpdbg_frame)
+--FILE--
+<?php
+
+$fiber = new Fiber(function () {
+    $fiber = Fiber::getCurrent();
+
+    Fiber::suspend();
+});
+
+$fiber->start();
+
+$fiber = null;
+gc_collect_cycles();
+
+?>
+--PHPDBG--
+r
+t
+q
+--EXPECTF--
+[Successful compilation of %s]
+prompt> [Uncaught GracefulExit in  on line 0: ]
+>00006:     Fiber::suspend();
+ 00007: });
+ 00008: 
+prompt> frame #0: {closure}() at %s:6
+ => {closure} (internal function)
+prompt>