From: Nikita Popov <nikita.ppv@gmail.com>
Date: Sun, 7 Jun 2020 08:24:03 +0000 (+0200)
Subject: Fix free of uninitialized memory in attributes
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=68fdad82c9a3d1d1fc03975b7b91fdb940c621e0;p=php

Fix free of uninitialized memory in attributes

Fixes OSS-Fuzz #23140.
---

diff --git a/Zend/tests/attributes/018_fatal_error_in_argument.phpt b/Zend/tests/attributes/018_fatal_error_in_argument.phpt
new file mode 100644
index 0000000000..a950c8658a
--- /dev/null
+++ b/Zend/tests/attributes/018_fatal_error_in_argument.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Don't free uninitialized memory if a fatal error occurs in an attribute argument
+--FILE--
+<?php
+
+<<Attr(a->b::c)>>
+function test() {}
+
+?>
+--EXPECTF--
+Fatal error: Dynamic class names are not allowed in compile-time class constant references in %s on line %d
diff --git a/Zend/zend_attributes.c b/Zend/zend_attributes.c
index b9bd467acf..935f37e5b9 100644
--- a/Zend/zend_attributes.c
+++ b/Zend/zend_attributes.c
@@ -113,6 +113,11 @@ ZEND_API zend_attribute *zend_add_attribute(HashTable **attributes, zend_bool pe
 	attr->offset = offset;
 	attr->argc = argc;
 
+	/* Initialize arguments to avoid partial initialization in case of fatal errors. */
+	for (uint32_t i = 0; i < argc; i++) {
+		ZVAL_UNDEF(&attr->argv[i]);
+	}
+
 	zend_hash_next_index_insert_ptr(*attributes, attr);
 
 	return attr;