From: Nikita Popov Date: Tue, 7 Jul 2020 14:24:13 +0000 (+0200) Subject: Fixed bug #79793 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=77acc8a069acbdd0e4ab0ac43f7d676a23e413a1;p=php Fixed bug #79793 Make sure the string key is not released while throwing the undefined index warning. --- diff --git a/NEWS b/NEWS index bfe7b596eb..6c35059e5e 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,8 @@ PHP NEWS (Nikita) . Fixed bug #79784 (Use after free if changing array during undef var during array write fetch). (Nikita) + . Fixed bug #79793 (Use after free if string used in undefined index warning + is changed). (Nikita) - Fileinfo: . Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb) diff --git a/Zend/tests/bug79793.phpt b/Zend/tests/bug79793.phpt new file mode 100644 index 0000000000..9e4e2e20be --- /dev/null +++ b/Zend/tests/bug79793.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #79793: Use after free if string used in undefined index warning is changed +--FILE-- + +--EXPECT-- +Undefined index: foobar +array(1) { + ["foobar"]=> + int(1) +} +Undefined index: foobarbaz +array(2) { + ["foobar"]=> + int(1) + ["foobarbaz"]=> + int(1) +} diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 5aed92ff45..59c151fe66 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -2181,10 +2181,15 @@ str_index: retval = &EG(uninitialized_zval); break; case BP_VAR_RW: + /* Key may be released while throwing the undefined index warning. */ + zend_string_addref(offset_key); if (UNEXPECTED(zend_undefined_index_write(ht, offset_key) == FAILURE)) { + zend_string_release(offset_key); return NULL; } - /* break missing intentionally */ + retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval)); + zend_string_release(offset_key); + break; case BP_VAR_W: retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval)); break;