Protect against recursive instantiation

nikic · nikic · commit a7d70c6c18d2 · 2021-03-04T16:50:24.000+01:00
diff --git a/Zend/tests/constexpr/new_recursion.phpt b/Zend/tests/constexpr/new_recursion.phpt
@@ -0,0 +1,74 @@
+--TEST--
+new recursion in property default value
+--FILE--
+<?php
+
+class Test {
+    public $test = new Test;
+}
+
+try {
+    new Test;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+class Test2 {
+    // Check property name unmangling.
+    private $test = new Test2;
+}
+
+try {
+    new Test2;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+// Check mutual recursion.
+class Test3 {
+    public $test4 = new Test4;
+}
+class Test4 {
+    public $test3 = new Test3;
+}
+
+try {
+    new Test3;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    new Test4;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+// Mutual recursion through constructor.
+class Test5 {
+    public $test6 = new Test6;
+}
+class Test6 {
+    public function __construct() {
+        new Test5;
+    }
+}
+
+try {
+    new Test5;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    new Test6;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Trying to recursively instantiate Test while evaluating default value for Test::$test
+Trying to recursively instantiate Test2 while evaluating default value for Test2::$test
+Trying to recursively instantiate Test3 while evaluating default value for Test3::$test4
+Trying to recursively instantiate Test4 while evaluating default value for Test4::$test3
+Trying to recursively instantiate Test5 while evaluating default value for Test5::$test6
+Trying to recursively instantiate Test5 while evaluating default value for Test5::$test6
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
@@ -1477,11 +1477,24 @@ static zend_always_inline zend_result _object_properties_init(zend_object *objec
 				ZVAL_COPY_PROP(dst, src);
 				if (Z_TYPE_P(dst) == IS_CONSTANT_AST) {
 					zend_property_info *prop_info = zend_get_property_info_for_slot(object, dst);
-					if (zval_update_constant_ex(dst, prop_info->ce) == FAILURE
-							|| (ZEND_TYPE_IS_SET(prop_info->type)
-								&& !zend_verify_property_type(prop_info, dst, /* strict */ 1))) {
-						zval_ptr_dtor_nogc(dst);
+					if (Z_EXTRA_P(src)) {
+						zend_throw_error(NULL,
+							"Trying to recursively instantiate %s "
+							"while evaluating default value for %s::$%s",
+							ZSTR_VAL(class_type->name), ZSTR_VAL(prop_info->ce->name),
+							zend_get_unmangled_property_name(prop_info->name));
+						goto failure;
+					}
+
+					Z_EXTRA_P(src) = 1;
+					zend_result result = zval_update_constant_ex(dst, prop_info->ce);
+					Z_EXTRA_P(src) = 0;
+
+					if (result == FAILURE || (ZEND_TYPE_IS_SET(prop_info->type)
+							&& !zend_verify_property_type(prop_info, dst, /* strict */ 1))) {
+failure:
 						/* On failure, initialize the remaining properties with UNDEF. */
+						zval_ptr_dtor_nogc(dst);
 						do {
 							ZVAL_UNDEF(dst);
 							src++;
