From: Nikita Popov Date: Fri, 4 Oct 2019 08:38:11 +0000 (+0200) Subject: Fix use-after-free with delayed interned memoized const operand X-Git-Tag: php-7.4.0RC4~60 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9659562cb5422099cc1286263e0ef883dab4d647;p=php Fix use-after-free with delayed interned memoized const operand We should addref CONST operands during memoization, as they might be destroyed by later compilation, e.g. through interning. --- diff --git a/Zend/tests/assign_coalesce_006.phpt b/Zend/tests/assign_coalesce_006.phpt new file mode 100644 index 0000000000..dfe43b3c29 --- /dev/null +++ b/Zend/tests/assign_coalesce_006.phpt @@ -0,0 +1,12 @@ +--TEST-- +Null coalesce assign with memoized constant operand that is later interned (OSS-Fuzz #17903) +--FILE-- + +--EXPECTF-- +array(1) { + ["%s"]=> + int(42) +} diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 8f545ce51f..9132656d41 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -2054,6 +2054,9 @@ static void zend_compile_memoized_expr(znode *result, zend_ast *expr) /* {{{ */ } else if (result->op_type == IS_TMP_VAR) { zend_emit_op_tmp(&memoized_result, ZEND_COPY_TMP, result, NULL); } else { + if (result->op_type == IS_CONST) { + Z_TRY_ADDREF(result->u.constant); + } memoized_result = *result; } @@ -7540,7 +7543,11 @@ void zend_compile_coalesce(znode *result, zend_ast *ast) /* {{{ */ /* }}} */ static void znode_dtor(zval *zv) { - efree(Z_PTR_P(zv)); + znode *node = Z_PTR_P(zv); + if (node->op_type == IS_CONST) { + zval_ptr_dtor_nogc(&node->u.constant); + } + efree(node); } void zend_compile_assign_coalesce(znode *result, zend_ast *ast) /* {{{ */