From 429f194f406e8d8255a12af210aa4bde3f9e1433 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 30 Jan 2020 11:01:13 +0100 Subject: [PATCH] Fix UAF in is_callable() and allocated trampoline By nulling out the function_handler, so it will not get used below. Reuse the existing helper for this purpose. --- Zend/tests/is_callable_trampoline_uaf.phpt | 27 ++++++++++++++++++++++ Zend/zend_API.c | 8 +------ 2 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 Zend/tests/is_callable_trampoline_uaf.phpt diff --git a/Zend/tests/is_callable_trampoline_uaf.phpt b/Zend/tests/is_callable_trampoline_uaf.phpt new file mode 100644 index 0000000000..2410864410 --- /dev/null +++ b/Zend/tests/is_callable_trampoline_uaf.phpt @@ -0,0 +1,27 @@ +--TEST-- +is_callable() with trampoline should not caused UAF +--FILE-- +bar('foo')); + +?> +--EXPECT-- +bool(false) diff --git a/Zend/zend_API.c b/Zend/zend_API.c index 4511368bea..b7af44a32a 100644 --- a/Zend/zend_API.c +++ b/Zend/zend_API.c @@ -3154,13 +3154,7 @@ get_function_via_handler: if (strict_class && (!fcc->function_handler->common.scope || !instanceof_function(ce_org, fcc->function_handler->common.scope))) { - if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) { - if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION && - fcc->function_handler->common.function_name) { - zend_string_release_ex(fcc->function_handler->common.function_name, 0); - } - zend_free_trampoline(fcc->function_handler); - } + zend_release_fcall_info_cache(fcc); } else { retval = 1; call_via_handler = (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) != 0; -- 2.49.0