Merge branch 'PHP-8.0' into PHP-8.1

cmb69 · cmb69 · commit 48333628442d · 2022-01-10T12:42:18.000+01:00
* PHP-8.0:
  Fix #81430: Attribute instantiation leaves dangling pointer
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.1.3
 
+- Core:
+  . Fixed bug #81430 (Attribute instantiation leaves dangling pointer).
+    (beberlei)
+
 - FPM:
   . Fixed memory leak on invalid port. (David Carlier)
 
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
@@ -6547,6 +6547,7 @@ static int call_attribute_constructor(
 		dummy_func.type = ZEND_USER_FUNCTION;
 		dummy_func.common.fn_flags =
 			attr->flags & ZEND_ATTRIBUTE_STRICT_TYPES ? ZEND_ACC_STRICT_TYPES : 0;
+		dummy_func.common.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE;
 		dummy_func.op_array.filename = filename;
 
 		dummy_opline.opcode = ZEND_DO_FCALL;
diff --git a/ext/zend_test/tests/observer_bug81430_1.phpt b/ext/zend_test/tests/observer_bug81430_1.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug #81430 (Attribute instantiation frame accessing invalid frame pointer)
+--EXTENSIONS--
+zend_test
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+#[\Attribute]
+class A {
+    private $a;
+    public function __construct() {
+    }
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("B");
+call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init A::__construct() -->
+  <A::__construct>
+  </A::__construct>
+</file '%s'>
diff --git a/ext/zend_test/tests/observer_bug81430_2.phpt b/ext/zend_test/tests/observer_bug81430_2.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #81430 (Attribute instantiation leaves dangling execute_data pointer)
+--EXTENSIONS--
+zend_test
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+#[\Attribute]
+class A {
+    public function __construct() {
+        array_map("str_repeat", ["\xFF"], [100000000]); // cause a bailout
+    }
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("B");
+call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init A::__construct() -->
+  <A::__construct>
+
+Fatal error: Allowed memory size of %d bytes exhausted %s in %s on line %d
+  </A::__construct>
+</file '%s'>
