Stack overflow in mbstring variable conversion with recursive array references #20836
Description
Description
The following code:
<?php
$a[] = $b[] = &$a;
var_dump(mb_convert_variables('utf-8', 'utf-8', $a), $a);Resulted in this output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2593609==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdba5e0ff8 (pc 0x5643a833ccc2 bp 0x7ffdba5e1010 sp 0x7ffdba5e0fe0 T0)
#0 0x5643a833ccc2 in zend_mm_get_next_free_slot /path/to/php-src/Zend/zend_alloc.c:1320
#1 0x5643a833d5f9 in zend_mm_alloc_small /path/to/php-src/Zend/zend_alloc.c:1409
#2 0x5643a833db62 in zend_mm_alloc_heap /path/to/php-src/Zend/zend_alloc.c:1487
#3 0x5643a8344adf in _emalloc /path/to/php-src/Zend/zend_alloc.c:2783
#4 0x5643a86431bd in zend_array_dup /path/to/php-src/Zend/zend_hash.c:2458
#5 0x5643a77b94a2 in mb_recursive_convert_variable /path/to/php-src/ext/mbstring/mbstring.c:3787
#6 0x5643a77b99fe in mb_recursive_convert_variable /path/to/php-src/ext/mbstring/mbstring.c:3814
#7 0x5643a77b99fe in mb_recursive_convert_variable /path/to/php-src/ext/mbstring/mbstring.c:3814
... (hundreds of recursive calls)
#248 0x5643a77b99fe in mb_recursive_convert_variable /path/to/php-src/ext/mbstring/mbstring.c:3814
SUMMARY: AddressSanitizer: stack-overflow /path/to/php-src/Zend/zend_alloc.c:1320 in zend_mm_get_next_free_slot
==2593609==ABORTING
Commit
cb63e4f998b
Configurations
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-picPHP Version
PHP 8.6.0-dev (cli) (built: Jan 5 2026 10:22:05) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies
Operating System
Ubuntu 22.04