Skip to content

Fix GH-20042: SEGV in array.c when error handler clobbers IAP object#21461

Open
iliaal wants to merge 1 commit intophp:masterfrom
iliaal:fix/gh-20042-iap-object-clobber
Open

Fix GH-20042: SEGV in array.c when error handler clobbers IAP object#21461
iliaal wants to merge 1 commit intophp:masterfrom
iliaal:fix/gh-20042-iap-object-clobber

Conversation

@iliaal
Copy link
Contributor

@iliaal iliaal commented Mar 16, 2026

Summary

  • get_ht_for_iap() emits a deprecation for object IAP args, triggering the user error handler. If the handler clobbers the by-ref variable, the code reads a dead zval as an object pointer and segfaults.
  • After the deprecation, re-check that the zval is still IS_OBJECT. Return NULL if clobbered. All 6 callers (end/prev/next/reset/current/key) handle NULL gracefully.
  • Regression test covers all 6 functions.

Fixes #20042

@iliaal
Fix phpGH-20042: SEGV in array.c when error handler clobbers IAP object
905cb37 
get_ht_for_iap() emits a deprecation notice for object arguments,
which can trigger a user error handler that modifies the by-reference
variable. After the handler returns, the zval may no longer be an
object, causing a segfault when accessing it as one.

Re-check the zval type after emitting the deprecation and bail out
if it was clobbered.
@iliaal iliaal requested a review from bukka as a code owner March 16, 2026 12:37
@iliaal iliaal mentioned this pull request Mar 16, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka Awaiting requested review from bukka bukka is a code owner

Assignees

No one assigned

Labels

Extension: standard

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SEGV array.c

1 participant

@iliaal