archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.4'

Browse source 
* PHP-8.4:
  Use-after-free in extract() with EXTR_REFS
This commit is contained in:
Ilija Tovilo 2025-04-01 16:34:41 +02:00
commit e4e663ced4
No known key found for this signature in database
GPG key ID: 5050C66BFCD1015A
2 changed files with 26 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
ext/standard/array.c
View file

@ -1957,8 +1957,10 @@ static zend_long php_extract_ref_overwrite(zend_array *arr, zend_array *symbol_t
} else {
ZVAL_MAKE_REF_EX(entry, 2);
}
zval_ptr_dtor(orig_var);
zval garbage;
ZVAL_COPY_VALUE(&garbage, orig_var);
ZVAL_REF(orig_var, Z_REF_P(entry));
zval_ptr_dtor(&garbage);
} else {
if (Z_ISREF_P(entry)) {
Z_ADDREF_P(entry);

23
ext/standard/tests/gh18209.phpt Normal file
View file

@ -0,0 +1,23 @@
--TEST--
GH-18209: Use-after-free in extract() with EXTR_REFS
--CREDITS--
Noam Rathaus (nrathaus)
--FILE--
<?php
class C {
public function __destruct() {
var_dump($GLOBALS['b']);
$GLOBALS['b'] = 43;
}
}
$b = new C;
$array = ['b' => 42];
extract($array, EXTR_REFS);
var_dump($b);
?>
--EXPECT--
int(42)
int(43)