Fix use-after-free on object released in hook

iluuu1994 · iluuu1994 · commit f6907b759a89 · 2024-09-25T17:58:13.000+02:00
Fixes GH-16040
diff --git a/Zend/tests/property_hooks/gh16040.phpt b/Zend/tests/property_hooks/gh16040.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-16040: Use-after-free on object released in hook
+--FILE--
+<?php
+
+class A {
+    public $bar {
+        get {
+            $GLOBALS['a'] = null;
+            return 42;
+        }
+    }
+}
+
+$a = new A();
+var_dump($a->bar);
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -828,8 +828,8 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 
 		if (EXPECTED(cache_slot
 		 && zend_execute_ex == execute_ex
-		 && zobj->ce->default_object_handlers->read_property == zend_std_read_property
-		 && !zobj->ce->create_object
+		 && ce->default_object_handlers->read_property == zend_std_read_property
+		 && !ce->create_object
 		 && !zend_is_in_hook(prop_info)
 		 && !(prop_info->hooks[ZEND_PROPERTY_HOOK_GET]->common.fn_flags & ZEND_ACC_RETURN_REFERENCE))) {
 			ZEND_SET_PROPERTY_HOOK_SIMPLE_GET(cache_slot);
