From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 1 Oct 2019 10:58:26 +0000 (+0200)
Subject: Remove func copy optimization for private method with static vars
X-Git-Tag: php-7.4.0RC4~79
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f2e88512451ba0d48252eaf206a0f242a8cd3ddb;p=php

Remove func copy optimization for private method with static vars

Not NULLing the static_variables pointer for shadow methods during
static var shutdown would be a way to avoid this leak, but unless
there's evidence that inherited private methods with static vars are
actually a common use-case, I don't think we should keep this kind
of fragile edge-case optimization.

Fixes OSS-Fuzz #17875.
---

diff --git a/Zend/tests/static_variable_in_private_method.phpt b/Zend/tests/static_variable_in_private_method.phpt
new file mode 100644
index 0000000000..0aa04a0918
--- /dev/null
+++ b/Zend/tests/static_variable_in_private_method.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Inheritance of private method with static variable
+--FILE--
+<?php
+
+class A {
+    private function m() {
+        static $x;
+    }
+}
+class B extends A {}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 3c78d2524d..c2ab453485 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -302,7 +302,7 @@ void shutdown_executor(void) /* {{{ */
 			}
 			if (ce->ce_flags & ZEND_HAS_STATIC_IN_METHODS) {
 				zend_op_array *op_array;
-					ZEND_HASH_FOREACH_PTR(&ce->function_table, op_array) {
+				ZEND_HASH_FOREACH_PTR(&ce->function_table, op_array) {
 					if (op_array->type == ZEND_USER_FUNCTION) {
 						if (op_array->static_variables) {
 							HashTable *ht = ZEND_MAP_PTR_GET(op_array->static_variables_ptr);
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index 30899982c8..4288d8fb59 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -101,15 +101,6 @@ static zend_always_inline zend_function *zend_duplicate_function(zend_function *
 			/* reuse the same op_array structure */
 			return func;
 		}
-		if (func->op_array.fn_flags & ZEND_ACC_PRIVATE) {
-			/* For private methods we reuse the same op_array structure even if
-			 * static variables are used, because it will not end up being used
-			 * anyway. However we still need to addref as the dtor will delref. */
-			if (!(GC_FLAGS(func->op_array.static_variables) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(func->op_array.static_variables);
-			}
-			return func;
-		}
 		return zend_duplicate_user_function(func);
 	}
 }