Fix zend_observer_fcall_end_all() accessing dangling pointers

beberlei · rioderelfte · cmb69 · beberlei · commit 257880764c75 · 2022-01-05T17:56:52.000+01:00
By switching attribute constructor stackframe to be called via
trampoline the stack allocation is not causing dangling pointers
in the zend_observer API anymore.

Co-Authored-By: Florian Sowade &lt;f.sowade@suora.com&gt;
Co-Authored-By: Christopher Becker &lt;cmbecker69@gmx.de&gt;
Co-Authored-By: Dmitry Stogov &lt;dmitry@zend.com&gt;
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
@@ -6315,6 +6315,7 @@ static int call_attribute_constructor(
 		dummy_func.type = ZEND_USER_FUNCTION;
 		dummy_func.common.fn_flags =
 			attr->flags & ZEND_ATTRIBUTE_STRICT_TYPES ? ZEND_ACC_STRICT_TYPES : 0;
+		dummy_func.common.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE;
 		dummy_func.op_array.filename = filename;
 
 		dummy_opline.opcode = ZEND_DO_FCALL;
diff --git a/ext/zend_test/tests/observer_bug81430_1.phpt b/ext/zend_test/tests/observer_bug81430_1.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Bug #81430 (Attribute instantiation frame accessing invalid frame pointer)
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+function another_userland() {
+    return 2 * 2;
+}
+
+#[\Attribute]
+class A {
+        private $a;
+        public function __construct() {
+            $this->a = another_userland();
+        }
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("B");
+call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init A::__construct() -->
+  <A::__construct>
+    <!-- init another_userland() -->
+    <another_userland>
+    </another_userland>
+  </A::__construct>
+</file '%s'>
diff --git a/ext/zend_test/tests/observer_bug81430_2.phpt b/ext/zend_test/tests/observer_bug81430_2.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug #81430 (Attribute instantiation leaves dangling execute_data pointer)
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+#[\Attribute]
+class A {
+        public function __construct() {
+                array_map("str_repeat", ["\xFF"], [100000000]); // cause a bailout
+        }
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("B");
+call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init A::__construct() -->
+  <A::__construct>
+
+Fatal error: Allowed memory size of %d bytes exhausted %s in %s on line %d
+  </A::__construct>
+</file '%s'>
