Fix stack overflow detection for variable compilation

Closes GH-17623
2026-03-24 00:02:20 +01:00 · 2025-01-29 15:04:17 +01:00
parent 5a4832f97b
commit 333f5dd848
3 changed files with 79 additions and 0 deletions
--- a/4
+++ b/4
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - BCMath:
  . Fixed bug GH-17398 (bcmul memory leak). (SakiTakamachi)

+- Core:
+  . Fixed bug GH-17623 (Broken stack overflow detection for variable
+    compilation). (ilutov)
+
 13 Feb 2025, PHP 8.3.17

 - Core:
--- a/Zend/tests/stack_limit/stack_limit_015.phpt
+++ b/Zend/tests/stack_limit/stack_limit_015.phpt
@@ -0,0 +1,71 @@
+--TEST--
+Stack limit 015 - Internal stack limit check in zend_compile_var()
+--CREDITS--
+abdullahasif88
+--SKIPIF--
+<?php
+if (!function_exists('zend_test_zend_call_stack_get')) die("skip zend_test_zend_call_stack_get() is not available");
+?>
+--EXTENSIONS--
+zend_test
+--INI--
+zend.max_allowed_stack_size=128K
+--FILE--
+<?php
+
+$test
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+    ->p->p->p->p->p->p->p->p->p->p
+;
+
+?>
+--EXPECTF--
+Fatal error: Maximum call stack size of %d bytes (zend.max_allowed_stack_size - zend.reserved_stack_size) reached during compilation. Try splitting expression in %s on line %d
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -10686,6 +10686,8 @@ static zend_op *zend_compile_var_inner(znode *result, zend_ast *ast, uint32_t ty

 static zend_op *zend_compile_var(znode *result, zend_ast *ast, uint32_t type, bool by_ref) /* {{{ */
 {
+	zend_check_stack_limit();
+
 	uint32_t checkpoint = zend_short_circuiting_checkpoint();
 	zend_op *opcode = zend_compile_var_inner(result, ast, type, by_ref);
 	zend_short_circuiting_commit(checkpoint, result, ast);
@@ -10694,6 +10696,8 @@ static zend_op *zend_compile_var(znode *result, zend_ast *ast, uint32_t type, bo

 static zend_op *zend_delayed_compile_var(znode *result, zend_ast *ast, uint32_t type, bool by_ref) /* {{{ */
 {
+	zend_check_stack_limit();
+
 	switch (ast->kind) {
 		case ZEND_AST_VAR:
 			return zend_compile_simple_var(result, ast, type, 1);