Fix #97836: Segfault in concat_function

nielsdos · nielsdos · commit 92b6bce0946e · 2022-12-04T22:42:47.000+01:00
The following sequence of actions was happening which caused a null
pointer dereference:
1. debug_backtrace() returns an array
2. The concatenation to $c will transform the array to a string via
   `zval_get_string_func` for op2 and output a warning.
   Note that zval op1 is of type string due to the first do-while
   sequence.
3. The warning of an implicit "array to string conversion" triggers
   the ob_start callback to run. This code transform $c (==op1) to a long.
4. The code below the 2 do-while sequences assume that both op1 and op2
   are strings, but this is no longer the case. A dereference of the
   string will therefore result in a null pointer dereference.

The solution used here is to work with the zend_string directly instead
of with the ops.
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -1840,78 +1840,85 @@ ZEND_API zend_result ZEND_FASTCALL shift_right_function(zval *result, zval *op1,
 ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval *op2) /* {{{ */
 {
     zval *orig_op1 = op1;
-	zval op1_copy, op2_copy;
-
-	ZVAL_UNDEF(&op1_copy);
-	ZVAL_UNDEF(&op2_copy);
+	zend_string *op1_string, *op2_string = NULL;
+	bool op1_string_from_func = false;
+	bool op2_string_from_func = false;
 
 	do {
 	 	if (UNEXPECTED(Z_TYPE_P(op1) != IS_STRING)) {
 	 		if (Z_ISREF_P(op1)) {
 	 			op1 = Z_REFVAL_P(op1);
-	 			if (Z_TYPE_P(op1) == IS_STRING) break;
+	 			if (Z_TYPE_P(op1) == IS_STRING) {
+					op1_string = Z_STR_P(op1);
+					break;
+				}
 	 		}
 			ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_CONCAT);
-			ZVAL_STR(&op1_copy, zval_get_string_func(op1));
+			op1_string = zval_get_string_func(op1);
 			if (UNEXPECTED(EG(exception))) {
-				zval_ptr_dtor_str(&op1_copy);
 				if (orig_op1 != result) {
 					ZVAL_UNDEF(result);
 				}
 				return FAILURE;
 			}
+			op1_string_from_func = true;
 			if (result == op1) {
 				if (UNEXPECTED(op1 == op2)) {
-					op2 = &op1_copy;
+					op2_string = op1_string;
 				}
 			}
-			op1 = &op1_copy;
-		}
+		} else {
+			op1_string = Z_STR_P(op1);
+		 }
 	} while (0);
 	do {
-		if (UNEXPECTED(Z_TYPE_P(op2) != IS_STRING)) {
+		if (UNEXPECTED(!op2_string && Z_TYPE_P(op2) != IS_STRING)) {
 	 		if (Z_ISREF_P(op2)) {
 	 			op2 = Z_REFVAL_P(op2);
-	 			if (Z_TYPE_P(op2) == IS_STRING) break;
+	 			if (Z_TYPE_P(op2) == IS_STRING) {
+					op2_string = Z_STR_P(op2);
+					break;
+				}
 	 		}
 			ZEND_TRY_BINARY_OP2_OBJECT_OPERATION(ZEND_CONCAT);
-			ZVAL_STR(&op2_copy, zval_get_string_func(op2));
+			op2_string = zval_get_string_func(op2);
 			if (UNEXPECTED(EG(exception))) {
-				zval_ptr_dtor_str(&op1_copy);
-				zval_ptr_dtor_str(&op2_copy);
+				if (op1_string_from_func) zend_string_release(op1_string);
 				if (orig_op1 != result) {
 					ZVAL_UNDEF(result);
 				}
 				return FAILURE;
 			}
-			op2 = &op2_copy;
+			op2_string_from_func = true;
+		} else if (!op2_string) {
+			op2_string = Z_STR_P(op2);
 		}
 	} while (0);
 
-	if (UNEXPECTED(Z_STRLEN_P(op1) == 0)) {
-		if (EXPECTED(result != op2)) {
+	if (UNEXPECTED(ZSTR_LEN(op1_string) == 0)) {
+		if (EXPECTED(op2_string_from_func || result != op2)) {
 			if (result == orig_op1) {
 				i_zval_ptr_dtor(result);
 			}
-			ZVAL_COPY(result, op2);
+			ZVAL_STR_COPY(result, op2_string);
 		}
-	} else if (UNEXPECTED(Z_STRLEN_P(op2) == 0)) {
-		if (EXPECTED(result != op1)) {
+	} else if (UNEXPECTED(ZSTR_LEN(op2_string) == 0)) {
+		if (EXPECTED(op1_string_from_func || result != op1)) {
 			if (result == orig_op1) {
 				i_zval_ptr_dtor(result);
 			}
-			ZVAL_COPY(result, op1);
+			ZVAL_STR_COPY(result, op1_string);
 		}
 	} else {
-		size_t op1_len = Z_STRLEN_P(op1);
-		size_t op2_len = Z_STRLEN_P(op2);
+		size_t op1_len = ZSTR_LEN(op1_string);
+		size_t op2_len = ZSTR_LEN(op2_string);
 		size_t result_len = op1_len + op2_len;
 		zend_string *result_str;
 
 		if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
+			if (op1_string_from_func) zend_string_release(op1_string);
+			if (op2_string_from_func) zend_string_release(op2_string);
 			zend_throw_error(NULL, "String size overflow");
-			zval_ptr_dtor_str(&op1_copy);
-			zval_ptr_dtor_str(&op2_copy);
 			if (orig_op1 != result) {
 				ZVAL_UNDEF(result);
 			}
@@ -1920,26 +1927,33 @@ ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval
 
 		if (result == op1 && Z_REFCOUNTED_P(result)) {
 			/* special case, perform operations on result */
-			result_str = zend_string_extend(Z_STR_P(result), result_len, 0);
+			result_str = zend_string_extend(op1_string, result_len, 0);
+			/* account for the case where result == op1 == op2 and the realloc is done */
+			if (op1_string == op2_string) {
+				op2_string = result_str;
+			}
+			if (op1_string_from_func) {
+				i_zval_ptr_dtor(result);
+				/* we will reuse the memory of op1_string */
+				op1_string_from_func = false;
+			}
 		} else {
 			result_str = zend_string_alloc(result_len, 0);
-			memcpy(ZSTR_VAL(result_str), Z_STRVAL_P(op1), op1_len);
+			memcpy(ZSTR_VAL(result_str), ZSTR_VAL(op1_string), op1_len);
 			if (result == orig_op1) {
 				i_zval_ptr_dtor(result);
 			}
 		}
 
-		/* This has to happen first to account for the cases where result == op1 == op2 and
-		 * the realloc is done. In this case this line will also update Z_STRVAL_P(op2) to
-		 * point to the new string. The first op2_len bytes of result will still be the same. */
 		ZVAL_NEW_STR(result, result_str);
 
-		memcpy(ZSTR_VAL(result_str) + op1_len, Z_STRVAL_P(op2), op2_len);
+		memcpy(ZSTR_VAL(result_str) + op1_len, ZSTR_VAL(op2_string), op2_len);
 		ZSTR_VAL(result_str)[result_len] = '\0';
 	}
 
-	zval_ptr_dtor_str(&op1_copy);
-	zval_ptr_dtor_str(&op2_copy);
+	if (op1_string_from_func) zend_string_release(op1_string);
+	if (op2_string_from_func) zend_string_release(op2_string);
+
 	return SUCCESS;
 }
 /* }}} */
