mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
727e26f9f2
The following sequence of actions was happening which caused a null pointer dereference: 1. debug_backtrace() returns an array 2. The concatenation to $c will transform the array to a string via `zval_get_string_func` for op2 and output a warning. Note that zval op1 is of type string due to the first do-while sequence. 3. The warning of an implicit "array to string conversion" triggers the ob_start callback to run. This code transform $c (==op1) to a long. 4. The code below the 2 do-while sequences assume that both op1 and op2 are strings, but this is no longer the case. A dereference of the string will therefore result in a null pointer dereference. The solution used here is to work with the zend_string directly instead of with the ops. For the tests: Co-authored-by: changochen1@gmail.com Co-authored-by: cmbecker69@gmx.de Co-authored-by: yukik@risec.co.jp Closes GH-10049.
19 lines
290 B
PHP
19 lines
290 B
PHP
--TEST--
|
|
Bug #79836 (Segfault in concat_function)
|
|
--INI--
|
|
opcache.optimization_level = 0x7FFEBFFF & ~0x400
|
|
--FILE--
|
|
<?php
|
|
$counter = 0;
|
|
ob_start(function ($buffer) use (&$c, &$counter) {
|
|
$c = 0;
|
|
++$counter;
|
|
}, 1);
|
|
$c .= [];
|
|
$c .= [];
|
|
ob_end_clean();
|
|
echo $counter . "\n";
|
|
?>
|
|
--EXPECT--
|
|
3
|