Fix array going away during sorting

iluuu1994 · iluuu1994 · commit 917040573f94 · 2024-10-31T01:16:02.000+01:00
Fixes GH-16648
diff --git a/Zend/tests/gh16648.phpt b/Zend/tests/gh16648.phpt
@@ -0,0 +1,49 @@
+--TEST--
+GH-16648: Use-after-free during array sorting
+--FILE--
+<?php
+
+function resize_arr() {
+    global $arr;
+    for ($i = 0; $i < 10; $i++) {
+        $arr[$i] = $i;
+    }
+}
+
+class C {
+    function __tostring() {
+        resize_arr();
+        return "3";
+    }
+}
+
+$arr = ["a" => "1", "3" => new C, "2" => "2"];
+asort($arr);
+var_dump($arr);
+
+?>
+--EXPECT--
+array(11) {
+  ["a"]=>
+  string(1) "1"
+  [3]=>
+  int(3)
+  [2]=>
+  int(2)
+  [0]=>
+  int(0)
+  [1]=>
+  int(1)
+  [4]=>
+  int(4)
+  [5]=>
+  int(5)
+  [6]=>
+  int(6)
+  [7]=>
+  int(7)
+  [8]=>
+  int(8)
+  [9]=>
+  int(9)
+}
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
@@ -2880,6 +2880,10 @@ ZEND_API void ZEND_FASTCALL zend_hash_sort_ex(HashTable *ht, sort_func_t sort, b
 		zend_hash_packed_to_hash(ht); // TODO: ???
 	}
 
+	ZEND_ASSERT(!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE));
+	/* Adding a refcount prevents the array from going away. */
+	GC_ADDREF(ht);
+
 	if (HT_IS_WITHOUT_HOLES(ht)) {
 		/* Store original order of elements in extra space to allow stable sorting. */
 		for (i = 0; i < ht->nNumUsed; i++) {
@@ -2954,6 +2958,16 @@ ZEND_API void ZEND_FASTCALL zend_hash_sort_ex(HashTable *ht, sort_func_t sort, b
 			zend_hash_rehash(ht);
 		}
 	}
+
+	if (UNEXPECTED(GC_DELREF(ht) == 0)) {
+		zend_array_destroy(ht);
+	} else {
+		/* The array _should_ be added to the gc buffer. However, this causes an
+		 * issue for non-user hashtables that use zend_hash_destroy(), which does
+		 * not remove the destroyed array from the gc buffer, assuming it was
+		 * never added. */
+		// gc_check_possible_root((zend_refcounted *)ht);
+	}
 }
 
 static zend_always_inline int zend_hash_compare_impl(HashTable *ht1, HashTable *ht2, compare_func_t compar, bool ordered) {
