Closed
Description
Description
The following code:
<?php
$loaded = dl('dl_test.so');
var_dump(dl_test_test2("World!"));
Resulted in this output:
/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:2316:11: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:2316:11
To reproduce:
-d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_test.observer.enabled=1" -d "zend_test.observer.observe_functions=1"
PHP Version
nightly
Operating System
No response
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Activity
cmb69 commentedon Dec 18, 2024
This either has the same root cause as #16811 or #9196, I think.
arnaud-lb commentedon Dec 19, 2024
What is happening is that after
ZEND_SEND_VAL_EX "World!"
, the arg is overridden here:php-src/Zend/zend_observer.c
Line 270 in 4b1c3cf
prev_observed_frame()
miscomputes the address of the frame because the function doesn't have a temporary to store the previous frame. Normally, we add the temporary inzend_observer_post_startup()
, but this is not executed for dl'ed functions:php-src/Zend/zend_observer.c
Lines 86 to 96 in 4b1c3cf
Add observer temporary to dl'ed functions
arnaud-lb commentedon Dec 20, 2024
Thank you @YuanchengJiang!
Add observer temporary to dl'ed functions