Fixed bug #81430

rioderelfte · rioderelfte · commit 43abc8fad136 · 2021-11-18T16:16:37.000+01:00
Check if the runtime cache pointer is NULL before dereferencing it.
diff --git a/Zend/zend_observer.c b/Zend/zend_observer.c
@@ -229,6 +229,7 @@ ZEND_API void ZEND_FASTCALL zend_observer_fcall_end(
 		zend_execute_data *ex = execute_data->prev_execute_data;
 		while (ex && (!ex->func || ex->func->type == ZEND_INTERNAL_FUNCTION
 		          || !ZEND_OBSERVABLE_FN(ex->func->common.fn_flags)
+		          || !&RUN_TIME_CACHE(&ex->func->op_array)
 		          || !ZEND_OBSERVER_DATA(&ex->func->op_array)
 		          || ZEND_OBSERVER_DATA(&ex->func->op_array) == ZEND_OBSERVER_NOT_OBSERVED)) {
 			ex = ex->prev_execute_data;
diff --git a/ext/zend_test/tests/bug81430.phpt b/ext/zend_test/tests/bug81430.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #81430 (Attribute instantiation leaves dangling execute_data pointer)
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+namespace X; // avoid cuf() being optimized away
+
+#[\Attribute]
+class A {
+        public function __construct() {}
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("X\\B");
+var_dump(call_user_func([$r->getAttributes(A::class)[0], 'newInstance']));
+
+array_map("str_repeat", ["\xFF"], [100000000]); // cause a bailout
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init X\A::__construct() -->
+  <X\A::__construct>
+  </X\A::__construct>
+object(X\A)#3 (0) {
+}
+
+Fatal error: Allowed memory size of 20971520 bytes exhausted %s in %s on line %d
+</file '%s'>
