Fixed use-after free introduced in fcc08ce19f39f7ab1381ecc8a010037d41819329

author Dmitry Stogov <dmitry@zend.com>

Mon, 30 Oct 2017 22:20:38 +0000 (01:20 +0300)

committer Dmitry Stogov <dmitry@zend.com>

Mon, 30 Oct 2017 22:20:38 +0000 (01:20 +0300)
author Dmitry Stogov <dmitry@zend.com>
Mon, 30 Oct 2017 22:20:38 +0000 (01:20 +0300)
committer Dmitry Stogov <dmitry@zend.com>
Mon, 30 Oct 2017 22:20:38 +0000 (01:20 +0300)
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c

index c200573ac850492edcd34bd1b6acae69809259e5..98a3ae6459242916b6e053a2437f4cc450bfd16e 100644 (file)
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -775,6 +775,11 @@ static void do_inherit_class_constant(zend_string *name, zend_class_constant *pa
                 if (Z_TYPE(parent_const->value) == IS_CONSTANT_AST) {
                         ce->ce_flags &= ~ZEND_ACC_CONSTANTS_UPDATED;
                 }
+               if (ce->type & ZEND_INTERNAL_CLASS) {
+                       c = pemalloc(sizeof(zend_class_constant), 1);
+                       memcpy(c, parent_const, sizeof(zend_class_constant));
+                       parent_const = c;
+               }
                 _zend_hash_append_ptr(&ce->constants_table, name, parent_const);
         }
  }
@@ -1003,6 +1008,11 @@ static void do_inherit_iface_constant(zend_string *name, zend_class_constant *c,
                 if (Z_TYPE(c->value) == IS_CONSTANT_AST) {
                         ce->ce_flags &= ~ZEND_ACC_CONSTANTS_UPDATED;
                 }
+               if (ce->type & ZEND_INTERNAL_CLASS) {
+                       ct = pemalloc(sizeof(zend_class_constant), 1);
+                       memcpy(ct, c, sizeof(zend_class_constant));
+                       c = ct;
+               }
                 zend_hash_update_ptr(&ce->constants_table, name, c);
         }
  }
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c

index 2382afbfb93581ef94dc8a838cfb7d95a8b34fdb..3e01b3fc7274e406efd47fd28dd189a774b34e2f 100644 (file)
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -351,8 +351,8 @@ ZEND_API void destroy_zend_class(zval *zv)
                                                 if (c->doc_comment) {
                                                         zend_string_release(c->doc_comment);
                                                 }
-                                               free(c);
                                         }
+                                       free(c);
                                 } ZEND_HASH_FOREACH_END();
                                 zend_hash_destroy(&ce->constants_table);
                         }
author	Dmitry Stogov <dmitry@zend.com>
	Mon, 30 Oct 2017 22:20:38 +0000 (01:20 +0300)
committer	Dmitry Stogov <dmitry@zend.com>
	Mon, 30 Oct 2017 22:20:38 +0000 (01:20 +0300)
Zend/zend_inheritance.c		patch \| blob \| history
Zend/zend_opcode.c		patch \| blob \| history