unreachable program point in zend_hash

[chongwick]

Description

The following code:

<?php
class ImmutableParser {
    private $parser;
    private $immutableData;

    public function __construct() {
        $this->parser = xml_parser_create();
        xml_set_element_handler($this->parser, function ($parser, $name, $attrs) {
            echo "open\n";
            var_dump($name, $attrs);
            $this->immutableData = array();
        }, function ($parser, $name) {
            echo "close\n";
            var_dump($name);
        });
    }

    public function parseXml($xml) {
        $this->immutableData = array();
        xml_parse_into_struct($this->parser, $xml, $this->immutableData, $this->immutableData);
        return $this->immutableData;
    }
}
$immutableParser = new ImmutableParser();
$xml = "<container><child/></container>";
$immutableData = $immutableParser->parseXml($xml);
?>

Resulted in this output:

/home/dan/php-src/Zend/zend_hash.c:807:3: runtime error: execution reached an unreachable program point

ZEND_ASSERT(idx < HT_IDX_TO_HASH(ht->nTableSize));

PHP Version

8.4.1

Operating System

Ubuntu 22.04

[devnexen]

I hit this condition instead

/home/dcarlier/Contribs/php-src/Zend/zend_hash.c(1090) : ht=0x7ff72424b6c0 is already destroyed
php: /home/dcarlier/Contribs/php-src/Zend/zend_hash.c:74: void _zend_is_inconsistent(const HashTable *, const char *, int): Assertion `0' failed.
Aborted

[chongwick]

@nielsdos would this be a type of bug that could be assigned a CVE or no?

[nielsdos]

I don't think so.
The bug is triggered because the element handler destroys the input array on callback. The attack model we use is that of a remote attacker in a webserver context, so there is no way for them to pull this off (i.e. the code has to be written in a malicious way).

[chongwick]

Understood. I do appreciate all of your feedback.