From 5cf3c2663ba53049fc6326c0b401542429992215 Mon Sep 17 00:00:00 2001 From: Daniil Gentili Date: Wed, 11 Jun 2025 13:22:02 +0200 Subject: [PATCH] Fix use after free during shutdown destruction Closes GH-18834. --- NEWS | 3 +++ Zend/tests/gh18833.phpt | 24 ++++++++++++++++++++++++ Zend/zend_objects_API.c | 4 +++- 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/gh18833.phpt diff --git a/NEWS b/NEWS index c2911839785..af154569e28 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.3.24 +- Core: + . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction + order). (Daniil Gentili) 03 Jul 2025, PHP 8.3.23 diff --git a/Zend/tests/gh18833.phpt b/Zend/tests/gh18833.phpt new file mode 100644 index 00000000000..d00f860ee43 --- /dev/null +++ b/Zend/tests/gh18833.phpt @@ -0,0 +1,24 @@ +--TEST-- +GH-18833 (Use after free with weakmaps dependent on destruction order) +--FILE-- +current(); + +echo "ok\n"; +?> +--EXPECT-- +ok diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 80f5b747db7..ec4c88d6aa5 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -104,7 +104,9 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_free_object_storage(zend_objects_ if (IS_OBJ_VALID(obj)) { if (!(OBJ_FLAGS(obj) & IS_OBJ_FREE_CALLED)) { GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED); - if (obj->handlers->free_obj != zend_object_std_dtor) { + if (obj->handlers->free_obj != zend_object_std_dtor + || (OBJ_FLAGS(obj) & IS_OBJ_WEAKLY_REFERENCED) + ) { GC_ADDREF(obj); obj->handlers->free_obj(obj); }