archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.2' into PHP-8.3

Browse source 
* PHP-8.2:
  Fix use-after-free of name in var-var with malicious error handler
This commit is contained in:
Ilija Tovilo 2023-11-20 14:06:25 +01:00
commit 88d012f360
No known key found for this signature in database
GPG key ID: A4F5D403F118200A
4 changed files with 51 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

21
Zend/zend_vm_execute.h generated
View file

@ -10087,6 +10087,10 @@ fetch_this:
} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
retval = &EG(uninitialized_zval);
} else {
if (IS_CONST == IS_CV) {
/* Keep name alive in case an error handler tries to free it. */
zend_string_addref(name);
}
zend_error(E_WARNING, "Undefined %svariable $%s",
(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
if (type == BP_VAR_RW && !EG(exception)) {
@ -10094,6 +10098,9 @@ fetch_this:
} else {
retval = &EG(uninitialized_zval);
}
if (IS_CONST == IS_CV) {
zend_string_release(name);
}
}
/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
} else if (Z_TYPE_P(retval) == IS_INDIRECT) {
@ -17924,6 +17931,10 @@ fetch_this:
} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
retval = &EG(uninitialized_zval);
} else {
if ((IS_TMP_VAR|IS_VAR) == IS_CV) {
/* Keep name alive in case an error handler tries to free it. */
zend_string_addref(name);
}
zend_error(E_WARNING, "Undefined %svariable $%s",
(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
if (type == BP_VAR_RW && !EG(exception)) {
@ -17931,6 +17942,9 @@ fetch_this:
} else {
retval = &EG(uninitialized_zval);
}
if ((IS_TMP_VAR|IS_VAR) == IS_CV) {
zend_string_release(name);
}
}
/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
} else if (Z_TYPE_P(retval) == IS_INDIRECT) {
@ -48303,6 +48317,10 @@ fetch_this:
} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
retval = &EG(uninitialized_zval);
} else {
if (IS_CV == IS_CV) {
/* Keep name alive in case an error handler tries to free it. */
zend_string_addref(name);
}
zend_error(E_WARNING, "Undefined %svariable $%s",
(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
if (type == BP_VAR_RW && !EG(exception)) {
@ -48310,6 +48328,9 @@ fetch_this:
} else {
retval = &EG(uninitialized_zval);
}
if (IS_CV == IS_CV) {
zend_string_release(name);
}
}
/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
} else if (Z_TYPE_P(retval) == IS_INDIRECT) {