From d2c5b3b25b188f27175011186c88b1002df25ac4 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 15 Nov 2025 15:14:25 +0000 Subject: [PATCH 1/2] Fix GH-20483: ASAN stack overflow with small fiber.stack_size INI value. close GH-20495 --- NEWS | 4 ++++ Zend/tests/fibers/gh20483.phpt | 16 ++++++++++++++++ Zend/zend_fibers.c | 7 ++++++- 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/fibers/gh20483.phpt diff --git a/NEWS b/NEWS index c9ff9ac461d4..5ddc2633d19c 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,10 @@ PHP NEWS - DOM: . Fix missing NUL byte check on C14NFile(). (ndossche) +- Fibers: + . Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI + small value). (David Carlier) + - Opcache: . Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud) diff --git a/Zend/tests/fibers/gh20483.phpt b/Zend/tests/fibers/gh20483.phpt new file mode 100644 index 000000000000..e06cf87258ea --- /dev/null +++ b/Zend/tests/fibers/gh20483.phpt @@ -0,0 +1,16 @@ +--TEST-- +GH-20483 (ASAN stack overflow with small fiber.stack_size INI value) +--INI-- +fiber.stack_size=1024 +--FILE-- +start(); +} catch (Exception $e) { + echo $e->getMessage() . "\n"; +} +?> +--EXPECTF-- +Fiber stack size is too small, it needs to be at least %d bytes diff --git a/Zend/zend_fibers.c b/Zend/zend_fibers.c index 6b6c1eaae1a9..96f6e99e714f 100644 --- a/Zend/zend_fibers.c +++ b/Zend/zend_fibers.c @@ -206,7 +206,12 @@ static zend_fiber_stack *zend_fiber_stack_allocate(size_t size) { void *pointer; const size_t page_size = zend_fiber_get_page_size(); - const size_t minimum_stack_size = page_size + ZEND_FIBER_GUARD_PAGES * page_size; + const size_t minimum_stack_size = page_size + ZEND_FIBER_GUARD_PAGES * page_size +#ifdef __SANITIZE_ADDRESS__ + // necessary correction due to ASAN redzones + * 6 +#endif + ; if (size < minimum_stack_size) { zend_throw_exception_ex(NULL, 0, "Fiber stack size is too small, it needs to be at least %zu bytes", minimum_stack_size); From 94c256f9973e6d3af4ba2e0c9a82ee5e65b66e9d Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 15 Nov 2025 18:53:05 +0100 Subject: [PATCH 2/2] Properly silence set-but-unused-var warning --- ext/mbstring/mbstring.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index ceb182a0a258..7fda240b7051 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -5578,19 +5578,16 @@ static bool mb_check_str_encoding(zend_string *str, const mbfl_encoding *encodin static bool php_mb_check_encoding_recursive(HashTable *vars, const mbfl_encoding *encoding) { - zend_long idx; zend_string *key; zval *entry; bool valid = true; - (void)(idx); /* Suppress spurious compiler warning that `idx` is not used */ - if (GC_IS_RECURSIVE(vars)) { php_error_docref(NULL, E_WARNING, "Cannot not handle circular references"); return false; } GC_TRY_PROTECT_RECURSION(vars); - ZEND_HASH_FOREACH_KEY_VAL(vars, idx, key, entry) { + ZEND_HASH_FOREACH_STR_KEY_VAL(vars, key, entry) { ZVAL_DEREF(entry); if (key) { if (!mb_check_str_encoding(key, encoding)) {