archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix use after free during shutdown destruction
This commit is contained in:
Niels Dossche 2025-06-18 21:20:25 +02:00
commit bb6263af60
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
3 changed files with 30 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -2,6 +2,9 @@ PHP NEWS
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.4.10 ?? ??? ????, PHP 8.4.10
- Core:
. Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
order). (Daniil Gentili)
03 Jul 2025, PHP 8.4.9 03 Jul 2025, PHP 8.4.9

24
Zend/tests/gh18833.phpt Normal file
View file

@ -0,0 +1,24 @@
--TEST--
GH-18833 (Use after free with weakmaps dependent on destruction order)
--FILE--
<?php
class a {
public static WeakMap $map;
public static Generator $storage;
}
a::$map = new WeakMap;
$closure = function () {
$obj = new a;
a::$map[$obj] = true;
yield $obj;
};
a::$storage = $closure();
a::$storage->current();
echo "ok\n";
?>
--EXPECT--
ok

4
Zend/zend_objects_API.c
View file

@ -100,7 +100,9 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_free_object_storage(zend_objects_
if (IS_OBJ_VALID(obj)) { if (IS_OBJ_VALID(obj)) {
if (!(OBJ_FLAGS(obj) & IS_OBJ_FREE_CALLED)) { if (!(OBJ_FLAGS(obj) & IS_OBJ_FREE_CALLED)) {
GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED); GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED);
if (obj->handlers->free_obj != zend_object_std_dtor) { if (obj->handlers->free_obj != zend_object_std_dtor
|| (OBJ_FLAGS(obj) & IS_OBJ_WEAKLY_REFERENCED)
) {
GC_ADDREF(obj); GC_ADDREF(obj);
obj->handlers->free_obj(obj); obj->handlers->free_obj(obj);
} }