Fix #81435 Observer current_observed_frame may point to an old (overwritten) frame

bwoebi · bwoebi · commit 12b0f1b7cc67 · 2021-09-13T15:58:58.000+02:00
Ensure current_observed_frame always points to an actually observed frame.
This solution has a caveat of being O(stack size), with the worst case occurring if there are a lot of frames between the current and previous observed frames.
An O(1) solution would require keeping track of the previous observed frame, which would require some additional frame attached metadata, which is best not attempted in an already released version.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2021, PHP 8.0.12
 
+- Core:
+  . Fixed bug #81435 (Observer current_observed_frame may point to an old
+    (overwritten) frame). (Bob)
+
 - DOM:
   . Fixed bug #81433 (DOMElement::setIdAttribute() called twice may remove ID).
     (Viktor Volkov)
diff --git a/Zend/zend_observer.c b/Zend/zend_observer.c
@@ -221,7 +221,10 @@ ZEND_API void ZEND_FASTCALL zend_observer_fcall_end(
 		current_observed_frame = NULL;
 	} else {
 		zend_execute_data *ex = execute_data->prev_execute_data;
-		while (ex && !ex->func) {
+		while (ex && (!ex->func || ex->func->type == ZEND_INTERNAL_FUNCTION
+		          || !ZEND_OBSERVABLE_FN(ex->func->common.fn_flags)
+		          || !ZEND_OBSERVER_DATA(&ex->func->op_array)
+		          || ZEND_OBSERVER_DATA(&ex->func->op_array) == ZEND_OBSERVER_NOT_OBSERVED)) {
 			ex = ex->prev_execute_data;
 		}
 		current_observed_frame = ex;
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -34,6 +34,7 @@ ZEND_BEGIN_MODULE_GLOBALS(zend_test)
 	int observer_observe_all;
 	int observer_observe_includes;
 	int observer_observe_functions;
+	zend_array *observer_observe_function_names;
 	int observer_show_return_type;
 	int observer_show_return_value;
 	int observer_show_init_backtrace;
@@ -329,12 +330,33 @@ static ZEND_METHOD(ZendTestNS2_Foo, method) {
 	ZEND_PARSE_PARAMETERS_NONE();
 }
 
+static ZEND_INI_MH(zend_test_observer_OnUpdateCommaList)
+{
+	zend_array **p = (zend_array **) ZEND_INI_GET_ADDR();
+	if (*p) {
+		zend_hash_release(*p);
+	}
+	*p = NULL;
+	if (new_value && ZSTR_LEN(new_value)) {
+		*p = malloc(sizeof(HashTable));
+		_zend_hash_init(*p, 8, ZVAL_PTR_DTOR, 1);
+		const char *start = ZSTR_VAL(new_value), *ptr;
+		while ((ptr = strchr(start, ','))) {
+			zend_hash_str_add_empty_element(*p, start, ptr - start);
+			start = ptr + 1;
+		}
+		zend_hash_str_add_empty_element(*p, start, ZSTR_VAL(new_value) + ZSTR_LEN(new_value) - start);
+	}
+	return SUCCESS;
+}
+
 PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("zend_test.observer.enabled", "0", PHP_INI_SYSTEM, OnUpdateBool, observer_enabled, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.observer.show_output", "1", PHP_INI_SYSTEM, OnUpdateBool, observer_show_output, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.observer.observe_all", "0", PHP_INI_SYSTEM, OnUpdateBool, observer_observe_all, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.observer.observe_includes", "0", PHP_INI_SYSTEM, OnUpdateBool, observer_observe_includes, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.observer.observe_functions", "0", PHP_INI_SYSTEM, OnUpdateBool, observer_observe_functions, zend_zend_test_globals, zend_test_globals)
+	STD_PHP_INI_ENTRY("zend_test.observer.observe_function_names", "", PHP_INI_SYSTEM, zend_test_observer_OnUpdateCommaList, observer_observe_function_names, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.observer.show_return_type", "0", PHP_INI_SYSTEM, OnUpdateBool, observer_show_return_type, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.observer.show_return_value", "0", PHP_INI_SYSTEM, OnUpdateBool, observer_show_return_value, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.observer.show_init_backtrace", "0", PHP_INI_SYSTEM, OnUpdateBool, observer_show_init_backtrace, zend_zend_test_globals, zend_test_globals)
@@ -584,10 +606,16 @@ static zend_observer_fcall_handlers observer_fcall_init(zend_execute_data *execu
 
 	if (ZT_G(observer_observe_all)) {
 		return (zend_observer_fcall_handlers){observer_begin, observer_end};
-	} else if (ZT_G(observer_observe_includes) && !fbc->common.function_name) {
-		return (zend_observer_fcall_handlers){observer_begin, observer_end};
-	} else if (ZT_G(observer_observe_functions) && fbc->common.function_name) {
-		return (zend_observer_fcall_handlers){observer_begin, observer_end};
+	} else if (fbc->common.function_name) {
+		if (ZT_G(observer_observe_functions)) {
+			return (zend_observer_fcall_handlers){observer_begin, observer_end};
+		} else if (ZT_G(observer_observe_function_names) && zend_hash_exists(ZT_G(observer_observe_function_names), fbc->common.function_name)) {
+			return (zend_observer_fcall_handlers){observer_begin, observer_end};
+		}
+	} else {
+		if (ZT_G(observer_observe_includes)) {
+			return (zend_observer_fcall_handlers){observer_begin, observer_end};
+		}
 	}
 	return (zend_observer_fcall_handlers){NULL, NULL};
 }
diff --git a/ext/zend_test/tests/bug81435.phpt b/ext/zend_test/tests/bug81435.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug #81435 (Observer current_observed_frame may point to an old (overwritten) frame)
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_function_names=a,d
+--FILE--
+<?php
+
+function d() {} // observed
+
+function c() {
+    d();
+}
+
+function b() {
+    c();
+}
+
+function bailout(...$args) {
+    array_map("str_repeat", ["\xFF"], [100000000]);
+}
+
+function a() { // observed (first_observed_frame)
+    b();
+    bailout(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); // overwrite the vm_stack containing prev_execute_data
+}
+
+a();
+
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<!-- init a() -->
+<a>
+  <!-- init b() -->
+  <!-- init c() -->
+  <!-- init d() -->
+  <d>
+  </d>
+  <!-- init bailout() -->
+
+Fatal error: Allowed memory size of 20971520 bytes exhausted at %s (tried to allocate %d bytes) in %s on line %d
+</a>
diff --git a/ext/zend_test/tests/observer_error_05.phpt b/ext/zend_test/tests/observer_error_05.phpt
@@ -6,8 +6,6 @@ Observer: End handlers fire after a userland fatal error
 zend_test.observer.enabled=1
 zend_test.observer.observe_all=1
 zend_test.observer.show_return_value=1
---XFAIL--
-This is unsafe and fails on macos
 --FILE--
 <?php
 set_error_handler(function ($errno, $errstr, $errfile, $errline) {
