archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #79919: Stack use-after-scope in define()

Browse source 
Instead of the temporary `rv`, we use the `val_free` which is there for
this purpose.
This commit is contained in:
Christoph M. Becker 2020-07-31 09:12:22 +02:00
parent d95c53834c
commit 1e0bc6e30f
3 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
NEWS
View file

@ -8,6 +8,7 @@ PHP NEWS
. Fixed bug #79806 (realpath() erroneously resolves link to link). (cmb) . Fixed bug #79806 (realpath() erroneously resolves link to link). (cmb)
. Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign). . Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).
(Santiago M. Mola) (Santiago M. Mola)
. Fixed bug #79919 (Stack use-after-scope in define()). (cmb)
- LDAP: - LDAP:
. Fixed memory leaks. (ptomulik) . Fixed memory leaks. (ptomulik)

14
Zend/tests/bug79919.phpt Normal file
View file

@ -0,0 +1,14 @@
--TEST--
Bug #79919 (Stack use-after-scope in define())
--SKIPIF--
<?php
if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
?>
--FILE--
<?php
$b = error_log(0);
$b = simplexml_load_string('<xml/>', null, $b);
define(0, $b);
?>
--EXPECT--
0

4
Zend/zend_builtin_functions.c
View file

@ -882,9 +882,7 @@ repeat:
case IS_OBJECT: case IS_OBJECT:
if (Z_TYPE(val_free) == IS_UNDEF) { if (Z_TYPE(val_free) == IS_UNDEF) {
if (Z_OBJ_HT_P(val)->get) { if (Z_OBJ_HT_P(val)->get) {
zval rv; val = Z_OBJ_HT_P(val)->get(val, &val_free);
val = Z_OBJ_HT_P(val)->get(val, &rv);
ZVAL_COPY_VALUE(&val_free, val);
goto repeat; goto repeat;
} else if (Z_OBJ_HT_P(val)->cast_object) { } else if (Z_OBJ_HT_P(val)->cast_object) {
if (Z_OBJ_HT_P(val)->cast_object(val, &val_free, IS_STRING) == SUCCESS) { if (Z_OBJ_HT_P(val)->cast_object(val, &val_free, IS_STRING) == SUCCESS) {