Fix GH-21023: CURLOPT_XFERINFOFUNCTION with invalid callback crash. by devnexen · Pull Request #21025 · php/php-src

devnexen · 2026-01-24T14:26:12Z

we check the FCC is properly initialised beforehand.

we check the FCC is properly initialised beforehand in its handler.

Girgias · 2026-01-24T17:44:53Z

+$ch = curl_init($url);
+curl_setopt($ch, CURLOPT_NOPROGRESS, 0);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_XFERINFOFUNCTION, $callback);


It seems the CURLOPT_PROGRESSFUNCTION and CURLOPT_XFERINFOFUNCTION are aliases... should we deprecate one, or explicitly mark one constant as the alias of the other?

PROGRESS is the one to be deprecated, we should at some point before next major release IMHO

Can you add it to https://wiki.php.net/rfc/deprecations_php_8_6 ?

Girgias · 2026-01-24T17:48:34Z

+		return rval;
+	}


I don't really understand how this can happen. It shouldn't be possible for this state to arise as this condition should be caught by the HANDLE_CURL_OPTION_CALLABLE, no? Or am I missing something here?

no it is not, when I debugged php_curl_set_callable_handler earlier, the fcc was not initialised despite being succesful.

This ... is strange. Because this would imply all the other callable options suffer from the same problem. Or do they not?

and yes

<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_WILDCARDMATCH, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FNMATCH_FUNCTION, $callback); curl_setopt($ch, CURLOPT_URL, "ftp://ftp.gnu.org/gnu/README*"); $result = curl_exec($ch); var_dump($result); curl_close($ch);

sapi/cli/php c.php Warning: Undefined variable $callback in /home/dcarlier/php-src/c.php on line 11 /home/dcarlier/php-src/Zend/zend_API.h:847:6: runtime error: member access within null pointer of type 'zend_function' (aka 'union _zend_function') #0 0x5e79794f0d3e in zend_call_known_fcc /home/dcarlier/php-src/Zend/zend_API.h:847:6 #1 0x5e79794f6918 in curl_fnmatch /home/dcarlier/php-src/ext/curl/interface.c:630:2 #2 0x78a14153345d (/lib/x86_64-linux-gnu/libcurl.so.4+0x3c45d) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #3 0x78a14153437c (/lib/x86_64-linux-gnu/libcurl.so.4+0x3d37c) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #4 0x78a14152d1b1 (/lib/x86_64-linux-gnu/libcurl.so.4+0x361b1) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #5 0x78a14152d837 (/lib/x86_64-linux-gnu/libcurl.so.4+0x36837) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #6 0x78a14152d9c3 (/lib/x86_64-linux-gnu/libcurl.so.4+0x369c3) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #7 0x78a141531ce3 (/lib/x86_64-linux-gnu/libcurl.so.4+0x3ace3) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #8 0x78a14152de41 (/lib/x86_64-linux-gnu/libcurl.so.4+0x36e41) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #9 0x78a14157e1c8 (/lib/x86_64-linux-gnu/libcurl.so.4+0x871c8) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #10 0x78a141576e68 (/lib/x86_64-linux-gnu/libcurl.so.4+0x7fe68) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #11 0x78a14158b981 (/lib/x86_64-linux-gnu/libcurl.so.4+0x94981) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #12 0x78a14156f5d6 (/lib/x86_64-linux-gnu/libcurl.so.4+0x785d6) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #13 0x78a141570bab in curl_multi_perform (/lib/x86_64-linux-gnu/libcurl.so.4+0x79bab) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #14 0x78a14153171e (/lib/x86_64-linux-gnu/libcurl.so.4+0x3a71e) (BuildId: 8b03052c795c3defd8539716e1150b035b0c1a0c) #15 0x5e79794d89bc in zif_curl_exec /home/dcarlier/php-src/ext/curl/interface.c:2447:10 #16 0x5e797cbb6240 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/php-src/Zend/zend_vm_execute.h:1351:2 #17 0x5e797c758296 in execute_ex /home/dcarlier/php-src/Zend/zend_vm_execute.h:58658:7 #18 0x5e797c75a04e in zend_execute /home/dcarlier/php-src/Zend/zend_vm_execute.h:64310:2 #19 0x5e797d31820f in zend_execute_script /home/dcarlier/php-src/Zend/zend.c:1934:3 #20 0x5e797be6a3c2 in php_execute_script_ex /home/dcarlier/php-src/main/main.c:2577:13 #21 0x5e797be6b2a8 in php_execute_script /home/dcarlier/php-src/main/main.c:2617:9 #22 0x5e797d32906b in do_cli /home/dcarlier/php-src/sapi/cli/php_cli.c:935:5 #23 0x5e797d325081 in main /home/dcarlier/php-src/sapi/cli/php_cli.c:1310:18 #24 0x78a140c2a574 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #25 0x78a140c2a627 in __libc_start_main csu/../csu/libc-start.c:360:3 #26 0x5e7978c07d04 in _start (/home/dcarlier/php-src/sapi/cli/php+0x2a07d04) (BuildId: 2a17fa1bdb34187d3865febd5e9d28c620d82802) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/dcarlier/php-src/Zend/zend_API.h:847:6

gonna plug the rest of callables..

well that was easy, only fnmatch remained, debug however was already protected apparently.

Girgias · 2026-01-24T17:48:43Z

+$ch = curl_init($url);
+curl_setopt($ch, CURLOPT_NOPROGRESS, 0);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_XFERINFOFUNCTION, $callback);


Suggested change

curl_setopt($ch, CURLOPT_XFERINFOFUNCTION, $callback);

curl_setopt($ch, CURLOPT_XFERINFOFUNCTION, null);

I am afraid it is not the same as here, it s an undefined var.

I don't understand how the behaviour can be differently depending on if it is undef or null? If it is then we have some bigger problems.

yes sure it s the same sorry I misread you.

Girgias · 2026-01-24T17:48:51Z

+curl_exec($ch);
+$ch = curl_init($url);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_PROGRESSFUNCTION, $callback);


Suggested change

curl_setopt($ch, CURLOPT_PROGRESSFUNCTION, $callback);

curl_setopt($ch, CURLOPT_PROGRESSFUNCTION, null);

github-actions Bot added the Extension: curl label Jan 24, 2026

devnexen force-pushed the gh21023 branch from e54136a to 8c9805c Compare January 24, 2026 14:49

devnexen linked an issue Jan 24, 2026 that may be closed by this pull request

SEGV at zend_call_known_fcc Zend/zend_API.h #21023

Closed

Fix phpGH-21023: CURLOPT_XFERINFOFUNCTION with invalid callback crash.

e649047

we check the FCC is properly initialised beforehand in its handler.

devnexen force-pushed the gh21023 branch from 32c0a77 to e649047 Compare January 24, 2026 15:46

devnexen marked this pull request as ready for review January 24, 2026 15:46

devnexen requested a review from adoy as a code owner January 24, 2026 15:46

devnexen requested a review from Girgias January 24, 2026 17:38

Girgias reviewed Jan 24, 2026

View reviewed changes

review + fixing FNMATCH case as well.

0812a00

Girgias approved these changes Jan 30, 2026

View reviewed changes

devnexen closed this in b156471 Jan 30, 2026

	curl_setopt($ch, CURLOPT_XFERINFOFUNCTION, $callback);
	curl_setopt($ch, CURLOPT_XFERINFOFUNCTION, null);

	curl_setopt($ch, CURLOPT_PROGRESSFUNCTION, $callback);
	curl_setopt($ch, CURLOPT_PROGRESSFUNCTION, null);

Conversation

devnexen commented Jan 24, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants