From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 30 Oct 2017 22:20:38 +0000 (+0300)
Subject: Fixed use-after free introduced in fcc08ce19f39f7ab1381ecc8a010037d41819329
X-Git-Tag: php-7.3.0alpha1~1136
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8482a6f51184c1c099a74c8252ca2b609f3b5ea7;p=php

Fixed use-after free introduced in fcc08ce19f39f7ab1381ecc8a010037d41819329
---

diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index c200573ac8..98a3ae6459 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -775,6 +775,11 @@ static void do_inherit_class_constant(zend_string *name, zend_class_constant *pa
 		if (Z_TYPE(parent_const->value) == IS_CONSTANT_AST) {
 			ce->ce_flags &= ~ZEND_ACC_CONSTANTS_UPDATED;
 		}
+		if (ce->type & ZEND_INTERNAL_CLASS) {
+			c = pemalloc(sizeof(zend_class_constant), 1);
+			memcpy(c, parent_const, sizeof(zend_class_constant));
+			parent_const = c;
+		}
 		_zend_hash_append_ptr(&ce->constants_table, name, parent_const);
 	}
 }
@@ -1003,6 +1008,11 @@ static void do_inherit_iface_constant(zend_string *name, zend_class_constant *c,
 		if (Z_TYPE(c->value) == IS_CONSTANT_AST) {
 			ce->ce_flags &= ~ZEND_ACC_CONSTANTS_UPDATED;
 		}
+		if (ce->type & ZEND_INTERNAL_CLASS) {
+			ct = pemalloc(sizeof(zend_class_constant), 1);
+			memcpy(ct, c, sizeof(zend_class_constant));
+			c = ct;
+		}
 		zend_hash_update_ptr(&ce->constants_table, name, c);
 	}
 }
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index 2382afbfb9..3e01b3fc72 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -351,8 +351,8 @@ ZEND_API void destroy_zend_class(zval *zv)
 						if (c->doc_comment) {
 							zend_string_release(c->doc_comment);
 						}
-						free(c);
 					}
+					free(c);
 				} ZEND_HASH_FOREACH_END();
 				zend_hash_destroy(&ce->constants_table);
 			}