archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix GH-17162: zend_array_try_init() with dtor can cause engine UAF
This commit is contained in:
Niels Dossche 2024-12-15 20:12:12 +01:00
commit 08b14a57b8
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
3 changed files with 27 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -13,6 +13,8 @@ PHP NEWS
. Fixed unstable get_iterator pointer for hooked classes in shm on Windows. . Fixed unstable get_iterator pointer for hooked classes in shm on Windows.
(ilutov) (ilutov)
. Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). (ilutov) . Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). (ilutov)
. Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
(nielsdos)
- DBA: - DBA:
. Skip test if inifile is disabled. (orlitzky) . Skip test if inifile is disabled. (orlitzky)

21
Zend/tests/gh17162.phpt Normal file
View file

@ -0,0 +1,21 @@
--TEST--
GH-17162 (zend_array_try_init() with dtor can cause engine UAF)
--FILE--
<?php
class Test {
function __destruct() {
global $box;
$box->value = null;
}
}
$box = [new Test];
// Using getimagesize() for the test because it's always available,
// but any function that uses zend_try_array_init() would work.
try {
getimagesize("dummy", $box);
} catch (Error $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
Attempt to assign property "value" on null

5
Zend/zend_API.h
View file

@ -1485,7 +1485,10 @@ static zend_always_inline zval *zend_try_array_init_size(zval *zv, uint32_t size
} }
zv = &ref->val; zv = &ref->val;
} }
zval_ptr_dtor(zv); zval garbage;
ZVAL_COPY_VALUE(&garbage, zv);
ZVAL_NULL(zv);
zval_ptr_dtor(&garbage);
ZVAL_ARR(zv, arr); ZVAL_ARR(zv, arr);
return zv; return zv;
} }