History log of /PHP-8.4/Zend/tests/class_toString_concat_with_itself.phpt (Results 1 – 1 of 1)
Revision Date Author Comments
# 727e26f9 04-Dec-2022 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix #97836 and #81705: Segfault / type confusion in concat_function

The following sequence of actions was happening which caused a null
pointer dereference:
1. debug_backtrace() retu

Fix #97836 and #81705: Segfault / type confusion in concat_function

The following sequence of actions was happening which caused a null
pointer dereference:
1. debug_backtrace() returns an array
2. The concatenation to $c will transform the array to a string via
`zval_get_string_func` for op2 and output a warning.
Note that zval op1 is of type string due to the first do-while
sequence.
3. The warning of an implicit "array to string conversion" triggers
the ob_start callback to run. This code transform $c (==op1) to a long.
4. The code below the 2 do-while sequences assume that both op1 and op2
are strings, but this is no longer the case. A dereference of the
string will therefore result in a null pointer dereference.

The solution used here is to work with the zend_string directly instead
of with the ops.

For the tests:
Co-authored-by: changochen1@gmail.com
Co-authored-by: cmbecker69@gmx.de
Co-authored-by: yukik@risec.co.jp

Closes GH-10049.

show more ...