Fixed bug #79818

nikic · nikic · commit 6556846754b6 · 2020-07-10T14:36:50.000+02:00
Only destroy the variable directly before reassigning it. The
value could be read in the meantime.
diff --git a/Zend/tests/bug79818.phpt b/Zend/tests/bug79818.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #79818: BIND_STATIC frees old variable value too early
+--FILE--
+<?php
+function test($a) {
+    static $a = UNDEFINED;
+}
+test(new stdClass);
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Undefined constant 'UNDEFINED' in %s:%d
+Stack trace:
+#0 %s(%d): test(Object(stdClass))
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -8231,7 +8231,6 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
 	zval *variable_ptr;
 
 	variable_ptr = GET_OP1_ZVAL_PTR_PTR_UNDEF(BP_VAR_W);
-	i_zval_ptr_dtor(variable_ptr);
 
 	ht = ZEND_MAP_PTR_GET(EX(func)->op_array.static_variables_ptr);
 	if (!ht) {
@@ -8252,10 +8251,11 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
 		if (Z_TYPE_P(value) == IS_CONSTANT_AST) {
 			SAVE_OPLINE();
 			if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {
-				ZVAL_NULL(variable_ptr);
 				HANDLE_EXCEPTION();
 			}
 		}
+
+		i_zval_ptr_dtor(variable_ptr);
 		if (UNEXPECTED(!Z_ISREF_P(value))) {
 			zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference));
 			GC_SET_REFCOUNT(ref, 2);
@@ -8270,6 +8270,7 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
 			ZVAL_REF(variable_ptr, Z_REF_P(value));
 		}
 	} else {
+		i_zval_ptr_dtor(variable_ptr);
 		ZVAL_COPY(variable_ptr, value);
 	}
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -45225,7 +45225,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN
 	zval *variable_ptr;
 
 	variable_ptr = EX_VAR(opline->op1.var);
-	i_zval_ptr_dtor(variable_ptr);
 
 	ht = ZEND_MAP_PTR_GET(EX(func)->op_array.static_variables_ptr);
 	if (!ht) {
@@ -45246,10 +45245,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN
 		if (Z_TYPE_P(value) == IS_CONSTANT_AST) {
 			SAVE_OPLINE();
 			if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {
-				ZVAL_NULL(variable_ptr);
 				HANDLE_EXCEPTION();
 			}
 		}
+
+		i_zval_ptr_dtor(variable_ptr);
 		if (UNEXPECTED(!Z_ISREF_P(value))) {
 			zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference));
 			GC_SET_REFCOUNT(ref, 2);
@@ -45264,6 +45264,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN
 			ZVAL_REF(variable_ptr, Z_REF_P(value));
 		}
 	} else {
+		i_zval_ptr_dtor(variable_ptr);
 		ZVAL_COPY(variable_ptr, value);
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -8231,7 +8231,6 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)`
`8231`	`8231`	`zval *variable_ptr;`
`8232`	`8232`
`8233`	`8233`	`variable_ptr = GET_OP1_ZVAL_PTR_PTR_UNDEF(BP_VAR_W);`
`8234`		`- i_zval_ptr_dtor(variable_ptr);`
`8235`	`8234`
`8236`	`8235`	`ht = ZEND_MAP_PTR_GET(EX(func)->op_array.static_variables_ptr);`
`8237`	`8236`	`if (!ht) {`
`@@ -8252,10 +8251,11 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)`
`8252`	`8251`	`if (Z_TYPE_P(value) == IS_CONSTANT_AST) {`
`8253`	`8252`	`SAVE_OPLINE();`
`8254`	`8253`	`if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {`
`8255`		`- ZVAL_NULL(variable_ptr);`
`8256`	`8254`	`HANDLE_EXCEPTION();`
`8257`	`8255`	`}`
`8258`	`8256`	`}`
	`8257`	`+`
	`8258`	`+ i_zval_ptr_dtor(variable_ptr);`
`8259`	`8259`	`if (UNEXPECTED(!Z_ISREF_P(value))) {`
`8260`	`8260`	`zend_reference ref = (zend_reference)emalloc(sizeof(zend_reference));`
`8261`	`8261`	`GC_SET_REFCOUNT(ref, 2);`
`@@ -8270,6 +8270,7 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)`
`8270`	`8270`	`ZVAL_REF(variable_ptr, Z_REF_P(value));`
`8271`	`8271`	`}`
`8272`	`8272`	`} else {`
	`8273`	`+ i_zval_ptr_dtor(variable_ptr);`
`8273`	`8274`	`ZVAL_COPY(variable_ptr, value);`
`8274`	`8275`	`}`
`8275`	`8276`
Original file line number	Diff line number	Diff line change
`@@ -45225,7 +45225,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN`
`45225`	`45225`	`zval *variable_ptr;`
`45226`	`45226`
`45227`	`45227`	`variable_ptr = EX_VAR(opline->op1.var);`
`45228`		`- i_zval_ptr_dtor(variable_ptr);`
`45229`	`45228`
`45230`	`45229`	`ht = ZEND_MAP_PTR_GET(EX(func)->op_array.static_variables_ptr);`
`45231`	`45230`	`if (!ht) {`
`@@ -45246,10 +45245,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN`
`45246`	`45245`	`if (Z_TYPE_P(value) == IS_CONSTANT_AST) {`
`45247`	`45246`	`SAVE_OPLINE();`
`45248`	`45247`	`if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {`
`45249`		`- ZVAL_NULL(variable_ptr);`
`45250`	`45248`	`HANDLE_EXCEPTION();`
`45251`	`45249`	`}`
`45252`	`45250`	`}`
	`45251`	`+`
	`45252`	`+ i_zval_ptr_dtor(variable_ptr);`
`45253`	`45253`	`if (UNEXPECTED(!Z_ISREF_P(value))) {`
`45254`	`45254`	`zend_reference ref = (zend_reference)emalloc(sizeof(zend_reference));`
`45255`	`45255`	`GC_SET_REFCOUNT(ref, 2);`
`@@ -45264,6 +45264,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN`
`45264`	`45264`	`ZVAL_REF(variable_ptr, Z_REF_P(value));`
`45265`	`45265`	`}`
`45266`	`45266`	`} else {`
	`45267`	`+ i_zval_ptr_dtor(variable_ptr);`
`45267`	`45268`	`ZVAL_COPY(variable_ptr, value);`
`45268`	`45269`	`}`
`45269`	`45270`