Fix GH-15210: phpdbg_print_changed_zvals working on a real copy instead.

devnexen · devnexen · commit 00b49b47787a · 2024-08-04T20:26:28.000+01:00
diff --git a/sapi/phpdbg/phpdbg_watch.c b/sapi/phpdbg/phpdbg_watch.c
@@ -1168,8 +1168,9 @@ int phpdbg_print_changed_zvals(void) {
 
 	if (zend_hash_num_elements(PHPDBG_G(watchlist_mem)) > 0) {
 		/* we must not add elements to the hashtable while iterating over it (resize => read into freed memory) */
-		mem_list = PHPDBG_G(watchlist_mem);
-		PHPDBG_G(watchlist_mem) = PHPDBG_G(watchlist_mem_backup);
+		mem_list = malloc(phpdbg_pagesize > sizeof(HashTable) ? phpdbg_pagesize : sizeof(HashTable));
+		zend_hash_init(mem_list, zend_hash_num_elements(PHPDBG_G(watchlist_mem)), NULL, NULL, false);
+		zend_hash_copy(mem_list, PHPDBG_G(watchlist_mem), (copy_ctor_func_t) zval_add_ref);
 
 		ZEND_HASH_MAP_FOREACH_NUM_KEY(mem_list, page) {
 			phpdbg_btree_position pos = phpdbg_btree_find_between(&PHPDBG_G(watchpoint_tree), page, page + phpdbg_pagesize);
@@ -1192,7 +1193,13 @@ int phpdbg_print_changed_zvals(void) {
 	phpdbg_reenable_memory_watches();
 
 	if (mem_list) {
-		PHPDBG_G(watchlist_mem) = mem_list;
+		zend_hash_destroy(PHPDBG_G(watchlist_mem));
+		free(PHPDBG_G(watchlist_mem));
+		PHPDBG_G(watchlist_mem) = malloc(phpdbg_pagesize > sizeof(HashTable) ? phpdbg_pagesize : sizeof(HashTable));
+		zend_hash_init(PHPDBG_G(watchlist_mem), phpdbg_pagesize / (sizeof(Bucket) + sizeof(uint32_t)), NULL, NULL, true);
+		zend_hash_copy(PHPDBG_G(watchlist_mem), mem_list, (copy_ctor_func_t) zval_add_ref);
+		zend_hash_destroy(mem_list);
+		free(mem_list);
 		phpdbg_reenable_memory_watches();
 	}
 
diff --git a/sapi/phpdbg/tests/gh15210.phpt b/sapi/phpdbg/tests/gh15210.phpt
@@ -0,0 +1,44 @@
+--TEST--
+GH-15210 use after free after continue
+--CREDITS--
+YuanchengJiang
+--PHPDBG--
+b 4
+r
+w $a[0]
+w r $b
+c
+q
+--FILE--
+<?php
+header_register_callback(function() { echo "sent";});
+$a = [0];
+$a[0] = 1;
+$b = &$a;
+$a[0] = 2;
+$a[1] = 3;
+$c = [1];
+$b = &$c;
+?>
+--EXPECTF--
+[Breakpoint #0 added at %s:%d]
+prompt> r
+[Breakpoint #0 at %s:%d, hits: 1]
+>00004: $a[0] = 1;
+ 00005: $b = &$a;
+ 00006: $a[0] = 2;
+prompt> w $a[0]
+[Added watchpoint #0 for $a[0]]
+prompt> w r $b
+[Added recursive watchpoint #1 for $b]
+prompt> c
+[Breaking on watchpoint $a[0]]
+Old value: [Breaking on watchpoint $a[0]]
+Old value: 0
+New value: 1
+>00002: header_register_callback(function() { echo "sent";});
+ 00003: $a = [0];
+ 00004: $a[0] = 1;
+prompt> q
+[$a[0] has been removed, removing watchpoint]
+[$b has been removed, removing watchpoint recursively]
