archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.2'

Browse source 
* PHP-8.2:
  Fix GH-10709: UAF in recursive AST evaluation
This commit is contained in:
Ilija Tovilo 2023-03-06 15:03:19 +01:00
commit 9944f58d3f
No known key found for this signature in database
GPG key ID: A4F5D403F118200A
6 changed files with 109 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
Zend/zend_execute_API.c
View file

@ -698,7 +698,19 @@ ZEND_API zend_result ZEND_FASTCALL zval_update_constant_with_ctx(zval *p, zend_c
zval tmp;
bool short_circuited;
if (UNEXPECTED(zend_ast_evaluate_ex(&tmp, ast, scope, &short_circuited, ctx) != SUCCESS)) {
// Increase the refcount during zend_ast_evaluate to avoid releasing the ast too early
// on nested calls to zval_update_constant_ex which can happen when retriggering ast
// evaluation during autoloading.
zend_ast_ref *ast_ref = Z_AST_P(p);
bool ast_is_refcounted = !(GC_FLAGS(ast_ref) & GC_IMMUTABLE);
if (ast_is_refcounted) {
GC_ADDREF(ast_ref);
}
zend_result result = zend_ast_evaluate_ex(&tmp, ast, scope, &short_circuited, ctx) != SUCCESS;
if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
rc_dtor_func((zend_refcounted *)ast_ref);
}
if (UNEXPECTED(result != SUCCESS)) {
return FAILURE;
}
zval_ptr_dtor_nogc(p);