From fc1db70f106525e81f9a24539340b7cf2e82e844 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:12:10 +0100 Subject: [PATCH] Fix GH-16630: UAF in lexer with encoding translation and heredocs zend_save_lexical_state() can be nested multiple times, for example for the parser initialization and then in the heredoc lexing. The input should not be freed if we restore to the same filtered string. Closes GH-16716. --- NEWS | 2 ++ Zend/tests/gh16630.phpt | 19 +++++++++++++++++++ Zend/zend_language_scanner.l | 2 +- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/gh16630.phpt diff --git a/NEWS b/NEWS index c81066f90e6..56f3e942334 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,8 @@ PHP NEWS (frankenphp)). (nielsdos) . Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469). (nielsdos) + . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs). + (nielsdos) - FPM: . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka) diff --git a/Zend/tests/gh16630.phpt b/Zend/tests/gh16630.phpt new file mode 100644 index 00000000000..62d6c9956a7 --- /dev/null +++ b/Zend/tests/gh16630.phpt @@ -0,0 +1,19 @@ +--TEST-- +GH-16630 (UAF in lexer with encoding translation and heredocs) +--EXTENSIONS-- +mbstring +--INI-- +zend.multibyte=On +zend.script_encoding=ISO-8859-1 +internal_encoding=EUC-JP +--FILE-- + +--EXPECT-- +heredoc +text diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l index c3b27cbfc32..8b46700eba3 100644 --- a/Zend/zend_language_scanner.l +++ b/Zend/zend_language_scanner.l @@ -275,7 +275,7 @@ ZEND_API void zend_restore_lexical_state(zend_lex_state *lex_state) CG(zend_lineno) = lex_state->lineno; zend_restore_compiled_filename(lex_state->filename); - if (SCNG(script_filtered)) { + if (SCNG(script_filtered) && SCNG(script_filtered) != lex_state->script_filtered) { efree(SCNG(script_filtered)); SCNG(script_filtered) = NULL; }