archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix use-after-free of immediately invoked closure with extra args

Browse source
This commit is contained in:
Nikita Popov 2019-08-29 12:30:39 +02:00
parent b557265816
commit ed749edd47
3 changed files with 21 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Zend/tests/closure_extra_args.phpt Normal file
View file

@ -0,0 +1,11 @@
--TEST--
Immediately invoked closure with extra args
--FILE--
<?php
(function() {})(new stdClass);
?>
===DONE===
--EXPECT--
===DONE===

6
Zend/zend_vm_def.h
View file

@ -2398,6 +2398,11 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
zend_clean_and_cache_symbol_table(EX(symbol_table));
}
EG(current_execute_data) = EX(prev_execute_data);
/* Free extra args before releasing the closure,
* as that may free the op_array. */
zend_vm_stack_free_extra_args_ex(call_info, execute_data);
if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
zend_object *object = Z_OBJ(execute_data->This);
#if 0
@ -2413,7 +2418,6 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
OBJ_RELEASE((zend_object*)execute_data->func->op_array.prototype);
}
zend_vm_stack_free_extra_args_ex(call_info, execute_data);
old_execute_data = execute_data;
execute_data = EX(prev_execute_data);
zend_vm_stack_free_call_frame_ex(call_info, old_execute_data);

6
Zend/zend_vm_execute.h
View file

@ -468,6 +468,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
zend_clean_and_cache_symbol_table(EX(symbol_table));
}
EG(current_execute_data) = EX(prev_execute_data);
/* Free extra args before releasing the closure,
* as that may free the op_array. */
zend_vm_stack_free_extra_args_ex(call_info, execute_data);
if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
zend_object *object = Z_OBJ(execute_data->This);
#if 0
@ -483,7 +488,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
OBJ_RELEASE((zend_object*)execute_data->func->op_array.prototype);
}
zend_vm_stack_free_extra_args_ex(call_info, execute_data);
old_execute_data = execute_data;
execute_data = EX(prev_execute_data);
zend_vm_stack_free_call_frame_ex(call_info, old_execute_data);