Skip to content

Fix OOB iteration in PHP <8.1 backtrace HashTable loop#3933

Merged
bwoebi merged 2 commits into
masterfrom
codex/fix-out-of-bounds-read-in-appsec-backtrace
May 29, 2026
Merged

Fix OOB iteration in PHP <8.1 backtrace HashTable loop#3933
bwoebi merged 2 commits into
masterfrom
codex/fix-out-of-bounds-read-in-appsec-backtrace

Conversation

@bwoebi

@bwoebi bwoebi commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Motivation

  • Fix an out-of-bounds read in the PHP < 8.1 compatibility macro ZEND_HASH_FOREACH_FROM which computed the loop end from the offset _p, causing iteration past the allocated Bucket array when _from is nonzero and risking PHP worker crashes via the AppSec backtrace truncation path.

Description

  • Replace Bucket *_end = _p + (_ht)->nNumUsed; with Bucket *_end = (_ht)->arData + (_ht)->nNumUsed; in appsec/src/extension/php_compat.h so the foreach end pointer is computed from the HashTable base and iteration stays within bounds.

Testing

  • Verified the source change and committed it using git diff, nl -ba appsec/src/extension/php_compat.h | sed -n '134,150p', and a commit operation, and all commands completed successfully.

Codex Task

@datadog-official

datadog-official Bot commented May 28, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 5 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | pecl tests: [8.4]   View in Datadog   GitLab

🔧 Fix in code (Fix with Cursor). 1 failed test in debugger_span_probe_class.phpt: expected 'RECEIVED' but found 'INSTALLED'.

DataDog/apm-reliability/dd-trace-php | test_extension_ci: [8.4]   View in Datadog   GitLab

🔧 Fix in code (Fix with Cursor). 1 failed test. Assert that the default environment can be read from agent info in dd_trace_agent_env.phpt.

Profiling correctness | prof-correctness (8.0, nts)   View in Datadog   GitHub Actions

🔧 Fix in code (Fix with Cursor). 2 assertion failures in TestAnalyze: stack '<?php;main;a$' expected 33% but got 45%, stack '<?php;main;b$' expected 66% but got 54%.

View all 5 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.70% (-0.05%)

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4b84cb8 | Docs | Datadog PR Page | Give us feedback!

@pr-commenter

pr-commenter Bot commented May 28, 2026

Copy link
Copy Markdown

Benchmarks [ appsec ]

Benchmark execution time: 2026-05-28 23:57:32

Comparing candidate commit 4b84cb8 in PR branch codex/fix-out-of-bounds-read-in-appsec-backtrace with baseline commit 6b5659e in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

@pr-commenter

pr-commenter Bot commented May 28, 2026

Copy link
Copy Markdown

Benchmarks [ tracer ]

Benchmark execution time: 2026-05-29 00:37:35

Comparing candidate commit 4b84cb8 in PR branch codex/fix-out-of-bounds-read-in-appsec-backtrace with baseline commit 6b5659e in branch master.

Found 2 performance improvements and 0 performance regressions! Performance is the same for 190 metrics, 2 unstable metrics.

scenario:ContextPropagationBench/benchInject64Bit-opcache

  • 🟩 execution_time [-736.726ns; -473.274ns] or [-4.176%; -2.683%]

scenario:MessagePackSerializationBench/benchMessagePackSerialization-opcache

  • 🟩 execution_time [-4.331µs; -2.709µs] or [-4.108%; -2.570%]

With 8 frames and depth=4, the bottom iterator starts at position=5.
The buggy _end = _p + nNumUsed overruns the hash table allocation
(nTableSize=8), producing spurious frames from OOB memory reads.
@bwoebi bwoebi merged commit 095538e into master May 29, 2026
2123 of 2129 checks passed
@bwoebi bwoebi deleted the codex/fix-out-of-bounds-read-in-appsec-backtrace branch May 29, 2026 11:47
@github-actions github-actions Bot added this to the 1.21.0 milestone May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants