archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.2'

Browse source 
* PHP-8.2:
  Fix GH-10709: UAF in recursive AST evaluation
This commit is contained in:
Ilija Tovilo 2023-03-06 15:03:19 +01:00
commit 9944f58d3f
No known key found for this signature in database
GPG key ID: A4F5D403F118200A
6 changed files with 109 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
Zend/tests/gh10709.phpt Normal file
View file

@ -0,0 +1,21 @@
--TEST--
GH-10709: Recursive class constant evaluation
--FILE--
<?php
class B { const C = A::C . "B"; }
spl_autoload_register(function ($class) {
class A { const C = "A"; }
var_dump(B::C);
});
try {
new B();
} catch (Error $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
string(2) "AB"

30
Zend/tests/gh10709_2.phpt Normal file
View file

@ -0,0 +1,30 @@
--TEST--
GH-10709: Recursive class constant evaluation
--FILE--
<?php
class B {
public $prop = A::C;
}
spl_autoload_register(function ($class) {
class A { const C = "A"; }
var_dump(new B());
});
try {
var_dump(new B());
} catch (Error $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
object(B)#2 (1) {
["prop"]=>
string(1) "A"
}
object(B)#2 (1) {
["prop"]=>
string(1) "A"
}

43
Zend/tests/gh10709_3.phpt Normal file
View file

@ -0,0 +1,43 @@
--TEST--
GH-10709: Recursive class constant evaluation with outer call failing
--FILE--
<?php
class S {
public function __toString() {
static $i = 0;
$i++;
if ($i === 1) {
return 'S';
} else {
throw new \Exception('Thrown from S');
}
}
}
const S = new S();
class B {
public $prop = A::C . S;
}
spl_autoload_register(function ($class) {
class A { const C = "A"; }
var_dump(new B());
});
var_dump(new B());
?>
--EXPECTF--
object(B)#3 (1) {
["prop"]=>
string(2) "AS"
}
Fatal error: Uncaught Exception: Thrown from S in %s:%d
Stack trace:
#0 %s(%d): [constant expression]()
#1 %s(%d): S->__toString()
#2 {main}
thrown in %s on line %d

14
Zend/zend_execute_API.c
View file

@ -698,7 +698,19 @@ ZEND_API zend_result ZEND_FASTCALL zval_update_constant_with_ctx(zval *p, zend_c
zval tmp; zval tmp;
bool short_circuited; bool short_circuited;
if (UNEXPECTED(zend_ast_evaluate_ex(&tmp, ast, scope, &short_circuited, ctx) != SUCCESS)) { // Increase the refcount during zend_ast_evaluate to avoid releasing the ast too early
// on nested calls to zval_update_constant_ex which can happen when retriggering ast
// evaluation during autoloading.
zend_ast_ref *ast_ref = Z_AST_P(p);
bool ast_is_refcounted = !(GC_FLAGS(ast_ref) & GC_IMMUTABLE);
if (ast_is_refcounted) {
GC_ADDREF(ast_ref);
}
zend_result result = zend_ast_evaluate_ex(&tmp, ast, scope, &short_circuited, ctx) != SUCCESS;
if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
rc_dtor_func((zend_refcounted *)ast_ref);
}
if (UNEXPECTED(result != SUCCESS)) {
return FAILURE; return FAILURE;
} }
zval_ptr_dtor_nogc(p); zval_ptr_dtor_nogc(p);

1
ext/opcache/zend_persist.c
View file

@ -261,6 +261,7 @@ static void zend_persist_zval(zval *z)
zend_persist_ast(GC_AST(old_ref)); zend_persist_ast(GC_AST(old_ref));
Z_TYPE_FLAGS_P(z) = 0; Z_TYPE_FLAGS_P(z) = 0;
GC_SET_REFCOUNT(Z_COUNTED_P(z), 1); GC_SET_REFCOUNT(Z_COUNTED_P(z), 1);
GC_ADD_FLAGS(Z_COUNTED_P(z), GC_IMMUTABLE);
efree(old_ref); efree(old_ref);
} }
break; break;

1
run-tests.php
View file

@ -675,6 +675,7 @@ function main(): void
if (!$phpdbg) { if (!$phpdbg) {
$phpdbg = get_binary($php, 'phpdbg', 'sapi/phpdbg/phpdbg'); $phpdbg = get_binary($php, 'phpdbg', 'sapi/phpdbg/phpdbg');
} }
$phpdbg = null;
putenv("TEST_PHP_EXECUTABLE=$php"); putenv("TEST_PHP_EXECUTABLE=$php");
$environment['TEST_PHP_EXECUTABLE'] = $php; $environment['TEST_PHP_EXECUTABLE'] = $php;