From 32c1f37574a12452d967c5d8d8c81e9b66db726c Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Dec 2019 09:15:27 +0100
Subject: [PATCH] Fixed bug #78926: Handle class table reallocation on failed
 link

When we change back the bucket key on a class linking failure,
make sure to reload the bucket pointer, as the class table may
have been reallocated in the meantime.

Also remove a bogus bucket key change in anon class registration:
We don't actually rename the class in this case anymore, the RTD
key is already the final name.
---
 NEWS                     |  1 +
 Zend/tests/bug78926.phpt | 22 ++++++++++++++++++++++
 Zend/zend_compile.c      |  2 ++
 Zend/zend_vm_def.h       |  3 ++-
 Zend/zend_vm_execute.h   |  3 ++-
 5 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/bug78926.phpt

diff --git a/NEWS b/NEWS
index ce5acb513d..787a546135 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,7 @@ PHP                                                                        NEWS
   . Fixed bug #78898 (call_user_func(['parent', ...]) fails while other
     succeed). (Nikita)
   . Fixed bug #78904 (Uninitialized property triggers __get()). (Nikita)
+  . Fixed bug #78926 (Segmentation fault on Symfony cache:clear). (Nikita)
 
 - GD:
   . Fixed bug #78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb)
diff --git a/Zend/tests/bug78926.phpt b/Zend/tests/bug78926.phpt
new file mode 100644
index 0000000000..5df92bdb5a
--- /dev/null
+++ b/Zend/tests/bug78926.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #78926: Segmentation fault on Symfony cache:clear
+--FILE--
+<?php
+
+spl_autoload_register(function($class) {
+    for ($i = 0; $i < 100; $i++) {
+        eval("class C$i {}");
+    }
+});
+
+try {
+    class B extends A {}
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump(class_exists('B', false));
+
+?>
+--EXPECT--
+Class 'A' not found
+bool(false)
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index dbbd9119a2..116fc0b7c5 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -1082,6 +1082,8 @@ ZEND_API int do_bind_class(zval *lcname, zend_string *lc_parent_name) /* {{{ */
 	}
 
 	if (zend_do_link_class(ce, lc_parent_name) == FAILURE) {
+		/* Reload bucket pointer, the hash table may have been reallocated */
+		zv = zend_hash_find(EG(class_table), Z_STR_P(lcname));
 		zend_hash_set_bucket_key(EG(class_table), (Bucket *) zv, Z_STR_P(rtd_key));
 		return FAILURE;
 	}
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index e699e5dc23..b170201372 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7284,6 +7284,8 @@ ZEND_VM_HANDLER(145, ZEND_DECLARE_CLASS_DELAYED, CONST, CONST)
 				zend_error_noreturn(E_COMPILE_ERROR, "Cannot declare %s %s, because the name is already in use", zend_get_object_type(ce), ZSTR_VAL(ce->name));
 			} else {
 				if (zend_do_link_class(ce, Z_STR_P(RT_CONSTANT(opline, opline->op2))) == FAILURE) {
+					/* Reload bucket pointer, the hash table may have been reallocated */
+					zv = zend_hash_find(EG(class_table), Z_STR_P(lcname));
 					zend_hash_set_bucket_key(EG(class_table), (Bucket *) zv, Z_STR_P(lcname + 1));
 					HANDLE_EXCEPTION();
 				}
@@ -7309,7 +7311,6 @@ ZEND_VM_HANDLER(146, ZEND_DECLARE_ANON_CLASS, ANY, ANY, CACHE_SLOT)
 		if (!(ce->ce_flags & ZEND_ACC_LINKED)) {
 			SAVE_OPLINE();
 			if (zend_do_link_class(ce, (OP2_TYPE == IS_CONST) ? Z_STR_P(RT_CONSTANT(opline, opline->op2)) : NULL) == FAILURE) {
-				zend_hash_set_bucket_key(EG(class_table), (Bucket *) zv, rtd_key);
 				HANDLE_EXCEPTION();
 			}
 		}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index a0cfc277bd..3d10728415 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2451,7 +2451,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DECLARE_ANON_CLASS_SPEC_HANDLE
 		if (!(ce->ce_flags & ZEND_ACC_LINKED)) {
 			SAVE_OPLINE();
 			if (zend_do_link_class(ce, (opline->op2_type == IS_CONST) ? Z_STR_P(RT_CONSTANT(opline, opline->op2)) : NULL) == FAILURE) {
-				zend_hash_set_bucket_key(EG(class_table), (Bucket *) zv, rtd_key);
 				HANDLE_EXCEPTION();
 			}
 		}
@@ -6395,6 +6394,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DECLARE_CLASS_DELAYED_SPEC_CON
 				zend_error_noreturn(E_COMPILE_ERROR, "Cannot declare %s %s, because the name is already in use", zend_get_object_type(ce), ZSTR_VAL(ce->name));
 			} else {
 				if (zend_do_link_class(ce, Z_STR_P(RT_CONSTANT(opline, opline->op2))) == FAILURE) {
+					/* Reload bucket pointer, the hash table may have been reallocated */
+					zv = zend_hash_find(EG(class_table), Z_STR_P(lcname));
 					zend_hash_set_bucket_key(EG(class_table), (Bucket *) zv, Z_STR_P(lcname + 1));
 					HANDLE_EXCEPTION();
 				}
-- 
2.40.0