Fixed bug #80290

Dropping the dtor arg args[3] rather than using STR_COPY: Since
PHP 8, we no longer support separation in call_user_function(),
so we also don't need to worry about things like arguments being
replaced with references.

diff --git a/NEWS b/NEWS
index 23c9ff8638f24f0fd74d5dfafa74ac6408ddfd32..0884c32f3fc4317720952aeff9802c7e26a75c9d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,8 @@ PHP                                                                        NEWS
 - Standard:
   . Don't force rebuild of symbol table, when populating $http_response_header
     variable by the HTTP stream wrapper. (Dmitry)
+  . Fixed bug #80290 (Double free when ASSERT_CALLBACK is used with a dynamic
+    message). (Nikita)
 
 29 Oct 2020, PHP 8.0.0RC3
 

diff --git a/ext/standard/assert.c b/ext/standard/assert.c
index 382c0b87e46659a48125a65fe502356747c6929c..86acaec38984f3ac967dc3fc1dfa1877f1dd848b 100644 (file)
--- a/ext/standard/assert.c
+++ b/ext/standard/assert.c
@@ -181,15 +181,11 @@ PHP_FUNCTION(assert)
                if (description_str) {
                        ZVAL_STR(&args[3], description_str);
                        call_user_function(NULL, NULL, &ASSERTG(callback), &retval, 4, args);
-                       zval_ptr_dtor(&(args[3]));
-                       zval_ptr_dtor(&(args[2]));
-                       zval_ptr_dtor(&(args[0]));
                } else {
                        call_user_function(NULL, NULL, &ASSERTG(callback), &retval, 3, args);
-                       zval_ptr_dtor(&(args[2]));
-                       zval_ptr_dtor(&(args[0]));
                }
 
+               zval_ptr_dtor(&args[0]);
                zval_ptr_dtor(&retval);
        }
 

diff --git a/ext/standard/tests/assert/bug80290.phpt b/ext/standard/tests/assert/bug80290.phpt
new file mode 100644 (file)
index 0000000..ef345fd
--- /dev/null
+++ b/ext/standard/tests/assert/bug80290.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #80290: Double free when ASSERT_CALLBACK is used with a dynamic message
+--FILE--
+<?php
+
+assert_options(ASSERT_CALLBACK, function($file, $line, $unused, $message) {
+    var_dump($message);
+});
+
+$x = 'x';
+assert(false, 'Dynamic message: ' . $x);
+
+?>
+--EXPECTF--
+string(18) "Dynamic message: x"
+
+Fatal error: Uncaught AssertionError: Dynamic message: x in %s:%d
+Stack trace:
+#0 %s(%d): assert(false, 'Dynamic message...')
+#1 {main}
+  thrown in %s on line %d