Fix phpGH-13827: Null pointer access of type 'zval' in phpdbg_frame

nielsdos · nielsdos · commit d3f1f3ab4070 · 2024-03-29T17:54:23.000+01:00
We don't always have the line and filename in a backtrace frame, but phpdbg assumes we do. Closes phpGH-13831.
diff --git a/NEWS b/NEWS
@@ -10,6 +10,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-10495 (feof on OpenSSL stream hangs indefinitely).
     (Jakub Zelenka)
 
+- PHPDBG:
+  . Fixed bug GH-13827 (Null pointer access of type 'zval' in phpdbg_frame).
+    (nielsdos)
+
 - Streams:
   . Fixed bug GH-13264 (Part 1 - Memory leak on stream filter failure).
     (Jakub Zelenka)
diff --git a/sapi/phpdbg/phpdbg_frame.c b/sapi/phpdbg/phpdbg_frame.c
@@ -274,7 +274,8 @@ void phpdbg_dump_backtrace(size_t num) /* {{{ */
 	Z_STR(startfile) = zend_string_init(startfilename, strlen(startfilename), 0);
 
 	zend_hash_internal_pointer_reset_ex(Z_ARRVAL(zbacktrace), &position);
-	tmp = zend_hash_get_current_data_ex(Z_ARRVAL(zbacktrace), &position);
+
+	zval *function_name = NULL;
 	while ((tmp = zend_hash_get_current_data_ex(Z_ARRVAL(zbacktrace), &position))) {
 		if (file) { /* userland */
 			phpdbg_out("frame #%d: ", i);
@@ -289,10 +290,18 @@ void phpdbg_dump_backtrace(size_t num) /* {{{ */
 
 		file = zend_hash_str_find(Z_ARRVAL_P(tmp), ZEND_STRL("file"));
 		line = zend_hash_str_find(Z_ARRVAL_P(tmp), ZEND_STRL("line"));
+		function_name = zend_hash_find(Z_ARRVAL_P(tmp), ZSTR_KNOWN(ZEND_STR_FUNCTION));
+
 		zend_hash_move_forward_ex(Z_ARRVAL(zbacktrace), &position);
 	}
 
-	phpdbg_writeln("frame #%d: {main} at %s:"ZEND_LONG_FMT, i, Z_STRVAL_P(file), Z_LVAL_P(line));
+	/* This is possible for fibers' start closure for example, which have a frame that doesn't contain the info
+	 * of which location stated the fiber if that stack frame is already torn down. same behaviour with debug_backtrace(). */
+	if (file == NULL) {
+		phpdbg_writeln(" => %s (internal function)", Z_STRVAL_P(function_name));
+	} else {
+		phpdbg_writeln("frame #%d: {main} at %s:"ZEND_LONG_FMT, i, Z_STRVAL_P(file), Z_LVAL_P(line));
+	}
 
 	zval_ptr_dtor_nogc(&zbacktrace);
 	zend_string_release(Z_STR(startfile));
diff --git a/sapi/phpdbg/tests/gh13827.phpt b/sapi/phpdbg/tests/gh13827.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-13827 (Null pointer access of type 'zval' in phpdbg_frame)
+--FILE--
+<?php
+
+$fiber = new Fiber(function () {
+    $fiber = Fiber::getCurrent();
+
+    Fiber::suspend();
+});
+
+$fiber->start();
+
+$fiber = null;
+gc_collect_cycles();
+
+?>
+--PHPDBG--
+r
+t
+q
+--EXPECTF--
+[Successful compilation of %s]
+prompt> [Uncaught GracefulExit in  on line 0: ]
+>00006:     Fiber::suspend();
+ 00007: });
+ 00008: 
+prompt> frame #0: {closure}() at %s:6
+ => {closure} (internal function)
+prompt>
