Fix use-after-free in write_property when object is released

iluuu1994 · iluuu1994 · commit 4af0dcc4e51a · 2022-12-28T22:54:44.000+01:00
Fixes GH-10169
diff --git a/Zend/tests/gh10169.phpt b/Zend/tests/gh10169.phpt
@@ -0,0 +1,37 @@
+--TEST--
+GH-10169
+--FILE--
+<?php
+class A
+{
+    public string $prop;
+}
+class B
+{
+    public function __toString()
+    {
+        global $a;
+        $a = null;
+        return str_repeat('a', 1);
+    }
+}
+
+$a = new A();
+try {
+    $a->prop = new B();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+$a = new A();
+$a->prop = '';
+try {
+    $a->prop = new B();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Object was released while assigning property A::$prop
+Object was released while assigning property A::$prop
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -819,7 +819,20 @@ ZEND_API zval *zend_std_write_property(zend_object *zobj, zend_string *name, zva
 				}
 
 				ZVAL_COPY_VALUE(&tmp, value);
-				if (UNEXPECTED(!zend_verify_property_type(prop_info, &tmp, property_uses_strict_types()))) {
+				// Increase refcount to prevent object from being released in __toString()
+				GC_ADDREF(zobj);
+				bool type_matched = zend_verify_property_type(prop_info, &tmp, property_uses_strict_types());
+				if (UNEXPECTED(GC_DELREF(zobj) == 0)) {
+					zend_throw_error(NULL, "Object was released while assigning property %s::$%s",
+						ZSTR_VAL(prop_info->ce->name), zend_get_unmangled_property_name(prop_info->name));
+					zend_objects_store_del(zobj);
+					zval_ptr_dtor(&tmp);
+					variable_ptr = &EG(error_zval);
+					goto exit;
+				} else if (UNEXPECTED(GC_MAY_LEAK((zend_refcounted *)zobj))) {
+					gc_possible_root((zend_refcounted *)zobj);
+				}
+				if (UNEXPECTED(!type_matched)) {
 					Z_TRY_DELREF_P(value);
 					variable_ptr = &EG(error_zval);
 					goto exit;
@@ -890,7 +903,21 @@ ZEND_API zval *zend_std_write_property(zend_object *zobj, zend_string *name, zva
 				}
 
 				ZVAL_COPY_VALUE(&tmp, value);
-				if (UNEXPECTED(!zend_verify_property_type(prop_info, &tmp, property_uses_strict_types()))) {
+
+				// Increase refcount to prevent object from being released in __toString()
+				GC_ADDREF(zobj);
+				bool type_matched = zend_verify_property_type(prop_info, &tmp, property_uses_strict_types());
+				if (UNEXPECTED(GC_DELREF(zobj) == 0)) {
+					zend_throw_error(NULL, "Object was released while assigning property %s::$%s",
+						ZSTR_VAL(prop_info->ce->name), zend_get_unmangled_property_name(prop_info->name));
+					zend_objects_store_del(zobj);
+					zval_ptr_dtor(&tmp);
+					variable_ptr = &EG(error_zval);
+					goto exit;
+				} else if (UNEXPECTED(GC_MAY_LEAK((zend_refcounted *)zobj))) {
+					gc_possible_root((zend_refcounted *)zobj);
+				}
+				if (UNEXPECTED(!type_matched)) {
 					zval_ptr_dtor(value);
 					goto exit;
 				}
