Merge branch 'PHP-8.1' into PHP-8.2

iluuu1994 · iluuu1994 · commit 4f1f77c51b28 · 2023-10-19T15:23:00.000+02:00
* PHP-8.1:
  Fix double-free of doc_comment when overriding static property via trait
diff --git a/NEWS b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fixed double-free of non-interned enum case name. (ilutov)
   . Fixed bug GH-12457 (Incorrect result of stripos with single character
     needle). (SakiTakamachi)
+  . Fixed bug GH-12468 (Double-free of doc_comment when overriding static
+    property via trait). (ilutov)
 
 - DOM:
   . Fix registerNodeClass with abstract class crashing. (nielsdos)
diff --git a/Zend/tests/gh12468_1.phpt b/Zend/tests/gh12468_1.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-12468: Double-free of doc_comment when overriding static property via trait
+--FILE--
+<?php
+trait T {
+	/** some doc */
+	static protected $a = 0;
+}
+class A {
+	use T;
+}
+class B extends A {
+	use T;
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/tests/gh12468_2.phpt b/Zend/tests/gh12468_2.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-12468: Double-free of doc_comment when overriding static property via trait
+--FILE--
+<?php
+trait T {
+	/** some doc */
+	static protected $a = 0;
+}
+class A {
+	/** some doc */
+	static protected $a = 0;
+}
+class B extends A {
+	use T;
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
@@ -4199,7 +4199,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		    (property_info_ptr->flags & ZEND_ACC_STATIC) != 0) {
 			property_info->offset = property_info_ptr->offset;
 			zval_ptr_dtor(&ce->default_static_members_table[property_info->offset]);
-			if (property_info_ptr->doc_comment) {
+			if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
 				zend_string_release(property_info_ptr->doc_comment);
 			}
 			zend_hash_del(&ce->properties_info, name);
@@ -4220,7 +4220,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		    (property_info_ptr->flags & ZEND_ACC_STATIC) == 0) {
 			property_info->offset = property_info_ptr->offset;
 			zval_ptr_dtor(&ce->default_properties_table[OBJ_PROP_TO_NUM(property_info->offset)]);
-			if (property_info_ptr->doc_comment) {
+			if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
 				zend_string_release_ex(property_info_ptr->doc_comment, 1);
 			}
 			zend_hash_del(&ce->properties_info, name);
