mirror of
https://github.com/php/php-src.git
synced 2026-04-27 10:16:41 +02:00
Niels Dossche
727e26f9f2
The following sequence of actions was happening which caused a null pointer dereference: 1. debug_backtrace() returns an array 2. The concatenation to $c will transform the array to a string via `zval_get_string_func` for op2 and output a warning. Note that zval op1 is of type string due to the first do-while sequence. 3. The warning of an implicit "array to string conversion" triggers the ob_start callback to run. This code transform $c (==op1) to a long. 4. The code below the 2 do-while sequences assume that both op1 and op2 are strings, but this is no longer the case. A dereference of the string will therefore result in a null pointer dereference. The solution used here is to work with the zend_string directly instead of with the ops. For the tests: Co-authored-by: changochen1@gmail.com Co-authored-by: cmbecker69@gmx.de Co-authored-by: yukik@risec.co.jp Closes GH-10049.
26 lines
335 B
PHP
26 lines
335 B
PHP
--TEST--
|
|
Bug #79836 (Segfault in concat_function)
|
|
--FILE--
|
|
<?php
|
|
$c = str_repeat("abcd", 10);
|
|
|
|
ob_start(function () use (&$c) {
|
|
$c = 0;
|
|
}, 1);
|
|
|
|
class X {
|
|
function __toString() {
|
|
echo "a";
|
|
return "abc";
|
|
}
|
|
}
|
|
|
|
$xxx = new X;
|
|
|
|
$x = $c . $xxx;
|
|
ob_end_clean();
|
|
echo $x . "\n";
|
|
?>
|
|
--EXPECT--
|
|
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
|