From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 1 Dec 2020 10:49:27 +0000 (+0100)
Subject: Don't use scope when validating Attribute
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f06afc434aec631f18f8da8ffca9a6f0559e1acf;p=php

Don't use scope when validating Attribute

This is not safe to do at this point. Even if we made it safe,
we'd see inconsistencies due to a partially compiled class.

Fixes oss-fuzz #28129.
---

diff --git a/Zend/tests/attributes/032_attribute_validation_scope.phpt b/Zend/tests/attributes/032_attribute_validation_scope.phpt
new file mode 100644
index 0000000000..039a427254
--- /dev/null
+++ b/Zend/tests/attributes/032_attribute_validation_scope.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Validation for "Attribute" does not use a scope when evaluating constant ASTs
+--FILE--
+<?php
+#[Attribute(parent::x)]
+class x extends y {}
+?>
+--EXPECTF--
+Fatal error: Cannot access "parent" when no class scope is active in %s on line %d
diff --git a/Zend/zend_attributes.c b/Zend/zend_attributes.c
index 29a2f4a732..ae07802b5b 100644
--- a/Zend/zend_attributes.c
+++ b/Zend/zend_attributes.c
@@ -33,7 +33,10 @@ void validate_attribute(zend_attribute *attr, uint32_t target, zend_class_entry
 	if (attr->argc > 0) {
 		zval flags;
 
-		if (FAILURE == zend_get_attribute_value(&flags, attr, 0, scope)) {
+		/* As this is run in the middle of compilation, fetch the attribute value without
+		 * specifying a scope. The class is not fully linked yet, and we may seen an
+		 * inconsistent state. */
+		if (FAILURE == zend_get_attribute_value(&flags, attr, 0, NULL)) {
 			return;
 		}