From: Nikita Popov Date: Fri, 30 Oct 2020 10:11:16 +0000 (+0100) Subject: Fixed bug #80290 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3bd3651bcc3d374586b291195d1b3471f3f7287d;p=php Fixed bug #80290 Dropping the dtor arg args[3] rather than using STR_COPY: Since PHP 8, we no longer support separation in call_user_function(), so we also don't need to worry about things like arguments being replaced with references. --- diff --git a/NEWS b/NEWS index 23c9ff8638..0884c32f3f 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,8 @@ PHP NEWS - Standard: . Don't force rebuild of symbol table, when populating $http_response_header variable by the HTTP stream wrapper. (Dmitry) + . Fixed bug #80290 (Double free when ASSERT_CALLBACK is used with a dynamic + message). (Nikita) 29 Oct 2020, PHP 8.0.0RC3 diff --git a/ext/standard/assert.c b/ext/standard/assert.c index 382c0b87e4..86acaec389 100644 --- a/ext/standard/assert.c +++ b/ext/standard/assert.c @@ -181,15 +181,11 @@ PHP_FUNCTION(assert) if (description_str) { ZVAL_STR(&args[3], description_str); call_user_function(NULL, NULL, &ASSERTG(callback), &retval, 4, args); - zval_ptr_dtor(&(args[3])); - zval_ptr_dtor(&(args[2])); - zval_ptr_dtor(&(args[0])); } else { call_user_function(NULL, NULL, &ASSERTG(callback), &retval, 3, args); - zval_ptr_dtor(&(args[2])); - zval_ptr_dtor(&(args[0])); } + zval_ptr_dtor(&args[0]); zval_ptr_dtor(&retval); } diff --git a/ext/standard/tests/assert/bug80290.phpt b/ext/standard/tests/assert/bug80290.phpt new file mode 100644 index 0000000000..ef345fd193 --- /dev/null +++ b/ext/standard/tests/assert/bug80290.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #80290: Double free when ASSERT_CALLBACK is used with a dynamic message +--FILE-- + +--EXPECTF-- +string(18) "Dynamic message: x" + +Fatal error: Uncaught AssertionError: Dynamic message: x in %s:%d +Stack trace: +#0 %s(%d): assert(false, 'Dynamic message...') +#1 {main} + thrown in %s on line %d