]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d95c538)
Fix #79919: Stack use-after-scope in define()
authorChristoph M. Becker <cmbecker69@gmx.de>
Fri, 31 Jul 2020 07:12:22 +0000 (09:12 +0200)
committerChristoph M. Becker <cmbecker69@gmx.de>
Fri, 31 Jul 2020 08:54:41 +0000 (10:54 +0200)
Instead of the temporary `rv`, we use the `val_free` which is there for
this purpose.

NEWS patch | blob | history
Zend/tests/bug79919.phpt [new file with mode: 0644] patch | blob
Zend/zend_builtin_functions.c patch | blob | history

diff --git a/NEWS b/NEWS
index 1a5d787307b9449ffaa36265101c192b442def5c..ebdb9601eeb3ab6cba7e631fcd100b5913977b08 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
   . Fixed bug #79806 (realpath() erroneously resolves link to link). (cmb)
   . Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).
     (Santiago M. Mola)
+  . Fixed bug #79919 (Stack use-after-scope in define()). (cmb)
 
 - LDAP:
   . Fixed memory leaks. (ptomulik)
diff --git a/Zend/tests/bug79919.phpt b/Zend/tests/bug79919.phpt
new file mode 100644 (file)
index 0000000..c135722
--- /dev/null
+++ b/Zend/tests/bug79919.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79919 (Stack use-after-scope in define())
+--SKIPIF--
+<?php
+if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+?>
+--FILE--
+<?php
+$b = error_log(0);
+$b = simplexml_load_string('<xml/>', null, $b);
+define(0, $b);
+?>
+--EXPECT--
+0
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index bc3649a62229208a6a36617521370ffd7d2dc45c..468a7c3446aa6a27f728fe3dd05031c70d30a8ab 100644 (file)
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -882,9 +882,7 @@ repeat:
                case IS_OBJECT:
                        if (Z_TYPE(val_free) == IS_UNDEF) {
                                if (Z_OBJ_HT_P(val)->get) {
-                                       zval rv;
-                                       val = Z_OBJ_HT_P(val)->get(val, &rv);
-                                       ZVAL_COPY_VALUE(&val_free, val);
+                                       val = Z_OBJ_HT_P(val)->get(val, &val_free);
                                        goto repeat;
                                } else if (Z_OBJ_HT_P(val)->cast_object) {
                                        if (Z_OBJ_HT_P(val)->cast_object(val, &val_free, IS_STRING) == SUCCESS) {
Unnamed repository; edit this file 'description' to name the repository.