(Nikita)
. Fixed bug #79784 (Use after free if changing array during undef var during
array write fetch). (Nikita)
+ . Fixed bug #79793 (Use after free if string used in undefined index warning
+ is changed). (Nikita)
- Fileinfo:
. Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb)
--- /dev/null
+--TEST--
+Bug #79793: Use after free if string used in undefined index warning is changed
+--FILE--
+<?php
+
+$key = "foo";
+$key .= "bar";
+set_error_handler(function($_, $m) use (&$key) {
+ echo "$m\n";
+ $key .= "baz";
+});
+
+$ary = [];
+$ary[$key]++;
+var_dump($ary);
+$ary[$key] += 1;
+var_dump($ary);
+
+?>
+--EXPECT--
+Undefined index: foobar
+array(1) {
+ ["foobar"]=>
+ int(1)
+}
+Undefined index: foobarbaz
+array(2) {
+ ["foobar"]=>
+ int(1)
+ ["foobarbaz"]=>
+ int(1)
+}
retval = &EG(uninitialized_zval);
break;
case BP_VAR_RW:
+ /* Key may be released while throwing the undefined index warning. */
+ zend_string_addref(offset_key);
if (UNEXPECTED(zend_undefined_index_write(ht, offset_key) == FAILURE)) {
+ zend_string_release(offset_key);
return NULL;
}
- /* break missing intentionally */
+ retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));
+ zend_string_release(offset_key);
+ break;
case BP_VAR_W:
retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));
break;
projects / php / commitdiff