Do not use zend_fcall_info_argp() for ticks and shutdown functions

Girgias · Girgias · commit 1de0f545bbb6 · 2022-10-20T22:42:20.000+01:00
Instead handle the copying and safe reallocation of the param zvals ourself.
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
@@ -1596,9 +1596,17 @@ PHP_FUNCTION(forward_static_call_array)
 }
 /* }}} */
 
-static void fci_addref(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache)
+static void fci_addref(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache, const zval *params)
 {
 	Z_TRY_ADDREF(fci->function_name);
+	fci->params = NULL;
+	if (params) {
+		ZEND_ASSERT(fci->param_count);
+		fci->params = (zval *) safe_erealloc(fci->params, sizeof(zval), fci->param_count, 0);
+		for (uint32_t i = 0; i < fci->param_count; ++i) {
+			ZVAL_COPY(&fci->params[i], &params[i]);
+		}
+	}
 	if (fci_cache->object) {
 		GC_ADDREF(fci_cache->object);
 	}
@@ -1607,24 +1615,29 @@ static void fci_addref(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache)
 static void fci_release(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache)
 {
 	zval_ptr_dtor(&fci->function_name);
+	for (uint32_t i = 0; i < fci->param_count; ++i) {
+		zval_ptr_dtor(&fci->params[i]);
+	}
+	if (fci->params) {
+		efree(fci->params);
+	}
 	if (fci_cache->object) {
 		zend_object_release(fci_cache->object);
 	}
+	zend_release_fcall_info_cache(fci_cache);
 }
 
 void user_shutdown_function_dtor(zval *zv) /* {{{ */
 {
 	php_shutdown_function_entry *shutdown_function_entry = Z_PTR_P(zv);
 
-	zend_fcall_info_args_clear(&shutdown_function_entry->fci, true);
 	fci_release(&shutdown_function_entry->fci, &shutdown_function_entry->fci_cache);
 	efree(shutdown_function_entry);
 }
 /* }}} */
 
 void user_tick_function_dtor(user_tick_function_entry *tick_function_entry) /* {{{ */
 {
-	zend_fcall_info_args_clear(&tick_function_entry->fci, true);
 	fci_release(&tick_function_entry->fci, &tick_function_entry->fci_cache);
 }
 /* }}} */
@@ -1723,16 +1736,14 @@ PHPAPI void php_free_shutdown_functions(void) /* {{{ */
 PHP_FUNCTION(register_shutdown_function)
 {
 	php_shutdown_function_entry entry;
-	zval *params = NULL;
-	uint32_t param_count = 0;
 	bool status;
+	zval *params = NULL;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "f*", &entry.fci, &entry.fci_cache, &params, &param_count) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "f*", &entry.fci, &entry.fci_cache, &params, &entry.fci.param_count) == FAILURE) {
 		RETURN_THROWS();
 	}
 
-	fci_addref(&entry.fci, &entry.fci_cache);
-	zend_fcall_info_argp(&entry.fci, param_count, params);
+	fci_addref(&entry.fci, &entry.fci_cache, params);
 
 	status = append_user_shutdown_function(&entry);
 	ZEND_ASSERT(status);
@@ -2312,15 +2323,13 @@ PHP_FUNCTION(register_tick_function)
 {
 	user_tick_function_entry tick_fe;
 	zval *params = NULL;
-	uint32_t param_count = 0;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "f*", &tick_fe.fci, &tick_fe.fci_cache, &params, &param_count) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "f*", &tick_fe.fci, &tick_fe.fci_cache, &params, &tick_fe.fci.param_count) == FAILURE) {
 		RETURN_THROWS();
 	}
 
 	tick_fe.calling = false;
-	fci_addref(&tick_fe.fci, &tick_fe.fci_cache);
-	zend_fcall_info_argp(&tick_fe.fci, param_count, params);
+	fci_addref(&tick_fe.fci, &tick_fe.fci_cache, params);
 
 	if (!BG(user_tick_functions)) {
 		BG(user_tick_functions) = (zend_llist *) emalloc(sizeof(zend_llist));
