From dcdcad3ab1f83563dc2775282d73e3bc8afde828 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 5 Jan 2026 19:04:42 +0000 Subject: [PATCH] Fix GH-20840: crash on nested object with var_dump(). mitigate it with stack check limit. close GH-20843 --- .../tests/general_functions/gh20840.phpt | 38 +++++++++++++++++++ ext/standard/var.c | 6 +++ 2 files changed, 44 insertions(+) create mode 100644 ext/standard/tests/general_functions/gh20840.phpt diff --git a/ext/standard/tests/general_functions/gh20840.phpt b/ext/standard/tests/general_functions/gh20840.phpt new file mode 100644 index 0000000000000..839b4728be189 --- /dev/null +++ b/ext/standard/tests/general_functions/gh20840.phpt @@ -0,0 +1,38 @@ +--TEST-- +GH-20840 (var_dump() crash with nested objects) +--CREDITS-- +bendrissou +--SKIPIF-- + +--INI-- +zend.max_allowed_stack_size=512K +--FILE-- +next = $newNode; + $node = $newNode; +} + +var_dump($firstNode); + +while ($next = $firstNode->next) { + $firstNode->next = $next->next; +} +?> +--EXPECTREGEX-- +^object\(Node\)#\d+ \(\d+\).*(nesting level too deep|["\s}]*)$ diff --git a/ext/standard/var.c b/ext/standard/var.c index df262eb520c60..acb605d2eabe6 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -56,6 +56,12 @@ static void php_object_property_dump(zend_property_info *prop_info, zval *zv, ze { const char *prop_name, *class_name; +#ifdef ZEND_CHECK_STACK_LIMIT + if (UNEXPECTED(zend_call_stack_overflowed(EG(stack_limit)))) { + php_printf("%*cnesting level too deep", level + 1, ' '); + return; + } +#endif if (key == NULL) { /* numeric key */ php_printf("%*c[" ZEND_LONG_FMT "]=>\n", level + 1, ' ', index); } else { /* string key */