Verify internal types before abandoning call frame

sgolemon · sgolemon · commit 01d84545e73e · 2022-06-01T00:51:08.000Z
An internal caller executing a builtin method with
a static return type will lose context if we drop
our frame before performing the validation.
diff --git a/NEWS b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-8338 (Intel CET is disabled unintentionally). (Chen, Hu)
   . Fixed leak in Enum::from/tryFrom for internal enums when using JIT (ilutov)
+  . Fixed calling internal methods with a static return type from
+    extension code. (Sara)
 
 - Date:
   . Fixed bug #72963 (Null-byte injection in CreateFromFormat and related
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
@@ -921,11 +921,6 @@ zend_result zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_
 		} else {
 			zend_execute_internal(call, fci->retval);
 		}
-		EG(current_execute_data) = call->prev_execute_data;
-		zend_vm_stack_free_args(call);
-		if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
-			zend_array_release(call->extra_named_params);
-		}
 
 #if ZEND_DEBUG
 		if (!EG(exception) && call->func) {
@@ -938,6 +933,11 @@ zend_result zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_
 				? Z_ISREF_P(fci->retval) : !Z_ISREF_P(fci->retval));
 		}
 #endif
+		EG(current_execute_data) = call->prev_execute_data;
+		zend_vm_stack_free_args(call);
+		if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+			zend_array_release(call->extra_named_params);
+		}
 
 		if (EG(exception)) {
 			zval_ptr_dtor(fci->retval);
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -26,6 +26,7 @@
 #include "fiber.h"
 #include "zend_attributes.h"
 #include "zend_enum.h"
+#include "zend_interfaces.h"
 #include "zend_weakrefs.h"
 #include "Zend/Optimizer/zend_optimizer.h"
 #include "test_arginfo.h"
@@ -277,6 +278,40 @@ static ZEND_FUNCTION(zend_iterable)
 	ZEND_PARSE_PARAMETERS_END();
 }
 
+/* Call a method on a class or object using zend_call_method() */
+static ZEND_FUNCTION(zend_call_method)
+{
+	zval *class_or_object;
+	zend_string *method_name;
+	zval *arg1 = NULL, *arg2 = NULL;
+	zend_object *obj = NULL;
+	zend_class_entry *ce = NULL;
+	int argc = ZEND_NUM_ARGS();
+
+	ZEND_PARSE_PARAMETERS_START(2, 4)
+		Z_PARAM_ZVAL(class_or_object)
+		Z_PARAM_STR(method_name)
+		Z_PARAM_OPTIONAL
+		Z_PARAM_ZVAL(arg1)
+		Z_PARAM_ZVAL(arg2)
+	ZEND_PARSE_PARAMETERS_END();
+
+	if (Z_TYPE_P(class_or_object) == IS_OBJECT) {
+		obj = Z_OBJ_P(class_or_object);
+		ce = obj->ce;
+	} else {
+		ZEND_ASSERT(Z_TYPE_P(class_or_object) == IS_STRING);
+		ce = zend_lookup_class(Z_STR_P(class_or_object));
+		if (!ce) {
+			zend_error(E_ERROR, "Unknown class '%s'", Z_STRVAL_P(class_or_object));
+			return;
+		}
+	}
+
+	ZEND_ASSERT((argc >= 2) && (argc <= 4));
+	zend_call_method(obj, ce, NULL, ZSTR_VAL(method_name), ZSTR_LEN(method_name), return_value, argc - 2, arg1, arg2);
+}
+
 static ZEND_FUNCTION(zend_get_unit_enum)
 {
 	ZEND_PARSE_PARAMETERS_NONE();
diff --git a/ext/zend_test/test.stub.php b/ext/zend_test/test.stub.php
@@ -113,6 +113,8 @@ function zend_get_unit_enum(): ZendTestUnitEnum {}
     function zend_test_parameter_with_attribute(string $parameter): int {}
 
     function zend_get_current_func_name(): string {}
+
+    function zend_call_method(object|string $clsOrObject, string $method, mixed $arg1 = null, mixed $arg2 = null): mixed {}
 }
 
 namespace ZendTestNS {
diff --git a/ext/zend_test/test_arginfo.h b/ext/zend_test/test_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 6d9ff0e2263a39420dd157206331a9e897d9e775 */
+ * Stub hash: 1be3dba6b0638764bcf00cd695cb88a3e8a0a530 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_zend_test_array_return, 0, 0, IS_ARRAY, 0)
 ZEND_END_ARG_INFO()
@@ -72,6 +72,13 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_zend_get_current_func_name, 0, 0, IS_STRING, 0)
 ZEND_END_ARG_INFO()
 
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_zend_call_method, 0, 2, IS_MIXED, 0)
+	ZEND_ARG_TYPE_MASK(0, clsOrObject, MAY_BE_OBJECT|MAY_BE_STRING, NULL)
+	ZEND_ARG_TYPE_INFO(0, method, IS_STRING, 0)
+	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, arg1, IS_MIXED, 0, "null")
+	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, arg2, IS_MIXED, 0, "null")
+ZEND_END_ARG_INFO()
+
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_ZendTestNS2_ZendSubNS_namespaced_func, 0, 0, _IS_BOOL, 0)
 ZEND_END_ARG_INFO()
 
@@ -128,6 +135,7 @@ static ZEND_FUNCTION(zend_weakmap_dump);
 static ZEND_FUNCTION(zend_get_unit_enum);
 static ZEND_FUNCTION(zend_test_parameter_with_attribute);
 static ZEND_FUNCTION(zend_get_current_func_name);
+static ZEND_FUNCTION(zend_call_method);
 static ZEND_FUNCTION(namespaced_func);
 static ZEND_METHOD(_ZendTestClass, is_object);
 static ZEND_METHOD(_ZendTestClass, __toString);
@@ -164,6 +172,7 @@ static const zend_function_entry ext_functions[] = {
 	ZEND_FE(zend_get_unit_enum, arginfo_zend_get_unit_enum)
 	ZEND_FE(zend_test_parameter_with_attribute, arginfo_zend_test_parameter_with_attribute)
 	ZEND_FE(zend_get_current_func_name, arginfo_zend_get_current_func_name)
+	ZEND_FE(zend_call_method, arginfo_zend_call_method)
 	ZEND_NS_FE("ZendTestNS2\\ZendSubNS", namespaced_func, arginfo_ZendTestNS2_ZendSubNS_namespaced_func)
 	ZEND_FE_END
 };
diff --git a/ext/zend_test/tests/internal-call-internal-static-return.phpt b/ext/zend_test/tests/internal-call-internal-static-return.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Calling a builtin function with 'static' return type from internal code
+--FILE--
+<?php
+
+enum IntIntStaticInt : int {
+	case Life = 42;
+}
+
+enum IntIntStaticString : string {
+	case ThanksFor = "all the fish";
+}
+
+var_dump(zend_call_method("IntIntStaticInt", "from", 42));
+var_dump(zend_call_method("IntIntStaticInt", "tryFrom", 42));
+var_dump(zend_call_method("IntIntStaticString", "from", "all the fish"));
+var_dump(zend_call_method("IntIntStaticString", "tryFrom", "all the fish"));
+
+class StillReturnsStatic extends _ZendTestClass {}
+
+var_dump(get_class(zend_call_method("_ZendTestClass", "returnsStatic")));
+var_dump(get_class(zend_call_method("StillReturnsStatic", "returnsStatic")));
+
+--EXPECT--
+enum(IntIntStaticInt::Life)
+enum(IntIntStaticInt::Life)
+enum(IntIntStaticString::ThanksFor)
+enum(IntIntStaticString::ThanksFor)
+string(14) "_ZendTestClass"
+string(18) "StillReturnsStatic"

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,8 @@ function zend_get_unit_enum(): ZendTestUnitEnum {}`
`113`	`113`	`function zend_test_parameter_with_attribute(string $parameter): int {}`
`114`	`114`
`115`	`115`	`function zend_get_current_func_name(): string {}`
	`116`	`+`
	`117`	`+ function zend_call_method(object\|string $clsOrObject, string $method, mixed $arg1 = null, mixed $arg2 = null): mixed {}`
`116`	`118`	`}`
`117`	`119`
`118`	`120`	`namespace ZendTestNS {`