Fix OOB iteration in PHP <8.1 backtrace HashTable loop#3933
Conversation
|
Benchmarks [ appsec ]Benchmark execution time: 2026-05-28 23:57:32 Comparing candidate commit 4b84cb8 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. |
Benchmarks [ tracer ]Benchmark execution time: 2026-05-29 00:37:35 Comparing candidate commit 4b84cb8 in PR branch Found 2 performance improvements and 0 performance regressions! Performance is the same for 190 metrics, 2 unstable metrics. scenario:ContextPropagationBench/benchInject64Bit-opcache
scenario:MessagePackSerializationBench/benchMessagePackSerialization-opcache
|
With 8 frames and depth=4, the bottom iterator starts at position=5. The buggy _end = _p + nNumUsed overruns the hash table allocation (nTableSize=8), producing spurious frames from OOB memory reads.
Motivation
< 8.1compatibility macroZEND_HASH_FOREACH_FROMwhich computed the loop end from the offset_p, causing iteration past the allocatedBucketarray when_fromis nonzero and risking PHP worker crashes via the AppSec backtrace truncation path.Description
Bucket *_end = _p + (_ht)->nNumUsed;withBucket *_end = (_ht)->arData + (_ht)->nNumUsed;inappsec/src/extension/php_compat.hso the foreach end pointer is computed from the HashTable base and iteration stays within bounds.Testing
git diff,nl -ba appsec/src/extension/php_compat.h | sed -n '134,150p', and a commit operation, and all commands completed successfully.Codex Task