From ee0daa59dbae069307a8121ff55bb3a9da7a0bf5 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 15 Dec 2024 16:18:43 +0100
Subject: [PATCH] Fix GH-17162: zend_array_try_init() with dtor can cause
 engine UAF

Closes GH-17167.
---
 NEWS                    |  2 ++
 Zend/tests/gh17162.phpt | 21 +++++++++++++++++++++
 Zend/zend_API.h         |  5 ++++-
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/gh17162.phpt

diff --git a/NEWS b/NEWS
index 29a3290378d..8caf8cc4573 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). (ilutov)
+  . Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
+    (nielsdos)
 
 - DBA:
   . Skip test if inifile is disabled. (orlitzky)
diff --git a/Zend/tests/gh17162.phpt b/Zend/tests/gh17162.phpt
new file mode 100644
index 00000000000..bdf6ddbb36b
--- /dev/null
+++ b/Zend/tests/gh17162.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-17162 (zend_array_try_init() with dtor can cause engine UAF)
+--FILE--
+<?php
+class Test {
+    function __destruct() {
+        global $box;
+        $box->value = null;
+    }
+}
+$box = [new Test];
+// Using getimagesize() for the test because it's always available,
+// but any function that uses zend_try_array_init() would work.
+try {
+    getimagesize("dummy", $box);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Attempt to assign property "value" on null
diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index 1114eeeec14..59d489f7aee 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -1478,7 +1478,10 @@ static zend_always_inline zval *zend_try_array_init_size(zval *zv, uint32_t size
 		}
 		zv = &ref->val;
 	}
-	zval_ptr_dtor(zv);
+	zval garbage;
+	ZVAL_COPY_VALUE(&garbage, zv);
+	ZVAL_NULL(zv);
+	zval_ptr_dtor(&garbage);
 	ZVAL_ARR(zv, arr);
 	return zv;
 }