Fix #81430: Attribute instantiation leaves dangling pointer

beberlei · cmb69 · commit 2f6a06ccb0ef · 2022-01-10T12:40:15.000+01:00
By switching attribute constructor stackframe to be called via trampoline the stack allocation is not causing dangling pointers in the zend_observer API anymore. Co-Authored-By: Florian Sowade <f.sowade@suora.com> Co-Authored-By: Christopher Becker <cmbecker69@gmx.de> Co-Authored-By: Dmitry Stogov <dmitry@zend.com> Closes GH-7885.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2022, PHP 8.0.16
 
+- Core:
+  . Fixed bug #81430 (Attribute instantiation leaves dangling pointer).
+    (beberlei)
+
 - FPM:
   . Fixed memory leak on invalid port. (David Carlier)
 
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
@@ -6315,6 +6315,7 @@ static int call_attribute_constructor(
 		dummy_func.type = ZEND_USER_FUNCTION;
 		dummy_func.common.fn_flags =
 			attr->flags & ZEND_ATTRIBUTE_STRICT_TYPES ? ZEND_ACC_STRICT_TYPES : 0;
+		dummy_func.common.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE;
 		dummy_func.op_array.filename = filename;
 
 		dummy_opline.opcode = ZEND_DO_FCALL;
diff --git a/ext/zend_test/tests/observer_bug81430_1.phpt b/ext/zend_test/tests/observer_bug81430_1.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug #81430 (Attribute instantiation frame accessing invalid frame pointer)
+--EXTENSIONS--
+zend_test
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+#[\Attribute]
+class A {
+    private $a;
+    public function __construct() {
+    }
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("B");
+call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init A::__construct() -->
+  <A::__construct>
+  </A::__construct>
+</file '%s'>
diff --git a/ext/zend_test/tests/observer_bug81430_2.phpt b/ext/zend_test/tests/observer_bug81430_2.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #81430 (Attribute instantiation leaves dangling execute_data pointer)
+--EXTENSIONS--
+zend_test
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+#[\Attribute]
+class A {
+    public function __construct() {
+        array_map("str_repeat", ["\xFF"], [100000000]); // cause a bailout
+    }
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("B");
+call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init A::__construct() -->
+  <A::__construct>
+
+Fatal error: Allowed memory size of %d bytes exhausted %s in %s on line %d
+  </A::__construct>
+</file '%s'>
