Merge branch 'PHP-8.3'

iluuu1994 · iluuu1994 · commit aa006f1cf612 · 2024-07-16T12:44:01.000+02:00
* PHP-8.3:
  Fix use-after-free in property coercion with __toString()
diff --git a/Zend/tests/gh14969.phpt b/Zend/tests/gh14969.phpt
@@ -0,0 +1,47 @@
+--TEST--
+GH-14969: Crash on coercion with throwing __toString()
+--FILE--
+<?php
+
+class C {
+    public function __toString() {
+        global $c;
+        $c = [];
+        throw new Exception(__METHOD__);
+    }
+}
+
+class D {
+    public string $prop;
+}
+
+$c = new C();
+$d = new D();
+try {
+    $d->prop = $c;
+} catch (Throwable $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($d);
+
+$c = new C();
+$d->prop = 'foo';
+try {
+    $d->prop = $c;
+} catch (Throwable $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($d);
+
+?>
+--EXPECTF--
+C::__toString
+object(D)#%d (0) {
+  ["prop"]=>
+  uninitialized(string)
+}
+C::__toString
+object(D)#2 (1) {
+  ["prop"]=>
+  string(3) "foo"
+}
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -974,7 +974,7 @@ ZEND_API zval *zend_std_write_property(zend_object *zobj, zend_string *name, zva
 					goto exit;
 				}
 				if (UNEXPECTED(!type_matched)) {
-					Z_TRY_DELREF_P(value);
+					zval_ptr_dtor(&tmp);
 					variable_ptr = &EG(error_zval);
 					goto exit;
 				}

Original file line number	Diff line number	Diff line change
`@@ -974,7 +974,7 @@ ZEND_API zval zend_std_write_property(zend_object zobj, zend_string *name, zva`
`974`	`974`	`goto exit;`
`975`	`975`	`}`
`976`	`976`	`if (UNEXPECTED(!type_matched)) {`
`977`		`- Z_TRY_DELREF_P(value);`
	`977`	`+ zval_ptr_dtor(&tmp);`
`978`	`978`	`variable_ptr = &EG(error_zval);`
`979`	`979`	`goto exit;`
`980`	`980`	`}`