Merge branch 'PHP-7.4'

nikic · nikic · commit e45f7053cf2a · 2020-07-07T16:33:06.000+02:00
* PHP-7.4:
  Fixed bug #79793
diff --git a/Zend/tests/bug79793.phpt b/Zend/tests/bug79793.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #79793: Use after free if string used in undefined index warning is changed
+--FILE--
+<?php
+
+$key = "foo";
+$key .= "bar";
+set_error_handler(function($_, $m) use (&$key) {
+    echo "$m\n";
+    $key .= "baz";
+});
+
+$ary = [];
+$ary[$key]++;
+var_dump($ary);
+$ary[$key] += 1;
+var_dump($ary);
+
+?>
+--EXPECT--
+Undefined index: foobar
+array(1) {
+  ["foobar"]=>
+  int(1)
+}
+Undefined index: foobarbaz
+array(2) {
+  ["foobar"]=>
+  int(1)
+  ["foobarbaz"]=>
+  int(1)
+}
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -2128,10 +2128,15 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 					retval = &EG(uninitialized_zval);
 					break;
 				case BP_VAR_RW:
+					/* Key may be released while throwing the undefined index warning. */
+					zend_string_addref(offset_key);
 					if (UNEXPECTED(zend_undefined_index_write(ht, offset_key) == FAILURE)) {
+						zend_string_release(offset_key);
 						return NULL;
 					}
-					/* break missing intentionally */
+					retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));
+					zend_string_release(offset_key);
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));
 					break;
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
@@ -162,10 +162,14 @@ static zval* ZEND_FASTCALL zend_jit_hash_lookup_rw(HashTable *ht, zend_string *s
 			}
 		}
 	} else {
+		/* Key may be released while throwing the undefined index warning. */
+		zend_string_addref(str);
 		if (UNEXPECTED(zend_undefined_index_write(ht, str) == FAILURE)) {
+			zend_string_release(str);
 			return NULL;
 		}
-		retval = zend_hash_update(ht, str, &EG(uninitialized_zval));
+		retval = zend_hash_add_new(ht, str, &EG(uninitialized_zval));
+		zend_string_release(str);
 	}
 	return retval;
 }
@@ -229,10 +233,14 @@ static zval* ZEND_FASTCALL zend_jit_symtable_lookup_rw(HashTable *ht, zend_strin
 			}
 		}
 	} else {
+		/* Key may be released while throwing the undefined index warning. */
+		zend_string_addref(str);
 		if (UNEXPECTED(zend_undefined_index_write(ht, str) == FAILURE)) {
+			zend_string_release(str);
 			return NULL;
 		}
 		retval = zend_hash_add_new(ht, str, &EG(uninitialized_zval));
+		zend_string_release(str);
 	}
 	return retval;
 }
@@ -571,10 +579,14 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 			}
 		}
 	} else {
+		/* Key may be released while throwing the undefined index warning. */
+		zend_string_addref(offset_key);
 		if (UNEXPECTED(zend_undefined_index_write(ht, offset_key) == FAILURE)) {
+			zend_string_release(offset_key);
 			return NULL;
 		}
 		retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));
+		zend_string_release(offset_key);
 	}
 	return retval;
 

Original file line number	Diff line number	Diff line change
`@@ -162,10 +162,14 @@ static zval* ZEND_FASTCALL zend_jit_hash_lookup_rw(HashTable ht, zend_string s`
`162`	`162`	`}`
`163`	`163`	`}`
`164`	`164`	`} else {`
	`165`	`+ /* Key may be released while throwing the undefined index warning. */`
	`166`	`+ zend_string_addref(str);`
`165`	`167`	`if (UNEXPECTED(zend_undefined_index_write(ht, str) == FAILURE)) {`
	`168`	`+ zend_string_release(str);`
`166`	`169`	`return NULL;`
`167`	`170`	`}`
`168`		`- retval = zend_hash_update(ht, str, &EG(uninitialized_zval));`
	`171`	`+ retval = zend_hash_add_new(ht, str, &EG(uninitialized_zval));`
	`172`	`+ zend_string_release(str);`
`169`	`173`	`}`
`170`	`174`	`return retval;`
`171`	`175`	`}`
`@@ -229,10 +233,14 @@ static zval* ZEND_FASTCALL zend_jit_symtable_lookup_rw(HashTable *ht, zend_strin`
`229`	`233`	`}`
`230`	`234`	`}`
`231`	`235`	`} else {`
	`236`	`+ /* Key may be released while throwing the undefined index warning. */`
	`237`	`+ zend_string_addref(str);`
`232`	`238`	`if (UNEXPECTED(zend_undefined_index_write(ht, str) == FAILURE)) {`
	`239`	`+ zend_string_release(str);`
`233`	`240`	`return NULL;`
`234`	`241`	`}`
`235`	`242`	`retval = zend_hash_add_new(ht, str, &EG(uninitialized_zval));`
	`243`	`+ zend_string_release(str);`
`236`	`244`	`}`
`237`	`245`	`return retval;`
`238`	`246`	`}`
`@@ -571,10 +579,14 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array ht, zval di`
`571`	`579`	`}`
`572`	`580`	`}`
`573`	`581`	`} else {`
	`582`	`+ /* Key may be released while throwing the undefined index warning. */`
	`583`	`+ zend_string_addref(offset_key);`
`574`	`584`	`if (UNEXPECTED(zend_undefined_index_write(ht, offset_key) == FAILURE)) {`
	`585`	`+ zend_string_release(offset_key);`
`575`	`586`	`return NULL;`
`576`	`587`	`}`
`577`	`588`	`retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));`
	`589`	`+ zend_string_release(offset_key);`
`578`	`590`	`}`
`579`	`591`	`return retval;`
`580`	`592`