Fix use-after-free when nullsafe used with constant LHS

author Nikita Popov <nikita.ppv@gmail.com>

Tue, 28 Jul 2020 07:48:13 +0000 (09:48 +0200)

committer Nikita Popov <nikita.ppv@gmail.com>

Tue, 28 Jul 2020 07:48:13 +0000 (09:48 +0200)
author Nikita Popov <nikita.ppv@gmail.com>
Tue, 28 Jul 2020 07:48:13 +0000 (09:48 +0200)
committer Nikita Popov <nikita.ppv@gmail.com>
Tue, 28 Jul 2020 07:48:13 +0000 (09:48 +0200)
diff --git a/Zend/tests/nullsafe_operator/029.phpt b/Zend/tests/nullsafe_operator/029.phpt

new file mode 100644 (file)

index 0000000..2aee652
--- /dev/null
+++ b/Zend/tests/nullsafe_operator/029.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Refcount of constant LHS with nullsafe operator
+--FILE--
+<?php
+['']?->a;
+?>
+--EXPECTF--
+Warning: Attempt to read property "a" on array in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c

index 28abcf272d9f92be7b2c36ce8c9b7d35b7005e32..ac9d54975641291bafd76cbb47c7bc5a61894d7f 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -2308,6 +2308,9 @@ static void zend_short_circuiting_commit(uint32_t checkpoint, znode *result, zen
  static void zend_emit_jmp_null(znode *obj_node)
  {
         uint32_t jmp_null_opnum = get_next_op_number();
+       if (obj_node->op_type == IS_CONST) {
+               Z_TRY_ADDREF(obj_node->u.constant);
+       }
         zend_emit_op(NULL, ZEND_JMP_NULL, obj_node, NULL);
         zend_stack_push(&CG(short_circuiting_opnums), &jmp_null_opnum);
  }
author	Nikita Popov <nikita.ppv@gmail.com>
	Tue, 28 Jul 2020 07:48:13 +0000 (09:48 +0200)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Tue, 28 Jul 2020 07:48:13 +0000 (09:48 +0200)
Zend/tests/nullsafe_operator/029.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_compile.c		patch \| blob \| history