php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.3' into PHP-8.4

Browse Source 
* PHP-8.3:
  Fix OSS-Fuzz #418106144
  Fix OSS-Fuzz #417078295
This commit is contained in:
Niels Dossche
2025-05-19 19:07:17 +02:00
parent 59e6165fa6 98cb17f4fd
commit 08cba2dcc1
6 changed files with 45 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@@ -7,6 +7,8 @@ PHP NEWS
(nielsdos/David Carlier) (nielsdos/David Carlier)
. Partially fixed GH-18572 (nested object comparisons leading to stack overflow). . Partially fixed GH-18572 (nested object comparisons leading to stack overflow).
(David Carlier) (David Carlier)
. Fixed OSS-Fuzz #417078295. (nielsdos)
. Fixed OSS-Fuzz #418106144. (nielsdos)
- Curl: - Curl:
. Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ . Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/

20
Zend/tests/gh418106144.phpt Normal file
View File

@@ -0,0 +1,20 @@
--TEST--
OSS-Fuzz #418106144
--FILE--
<?php
class Foo {
function __toString(){}
}
function test($y=new Foo>''){
var_dump();
}
try {
test();
} catch (TypeError $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
Foo::__toString(): Return value must be of type string, none returned

17
Zend/tests/oss_fuzz_417078295.phpt Normal file
View File

@@ -0,0 +1,17 @@
--TEST--
OSS-Fuzz #417078295
--FILE--
<?php
function foo() {
$a = new stdClass();
static $a = $a;
debug_zval_dump($a);
}
foo();
?>
--EXPECT--
object(stdClass)#1 (0) refcount(2){
}

3
Zend/zend_ast.c
View File

@@ -601,9 +601,10 @@ ZEND_API zend_result ZEND_FASTCALL zend_ast_evaluate_inner(
/* op1 > op2 is the same as op2 < op1 */ /* op1 > op2 is the same as op2 < op1 */
binary_op_type op = ast->kind == ZEND_AST_GREATER binary_op_type op = ast->kind == ZEND_AST_GREATER
? is_smaller_function : is_smaller_or_equal_function; ? is_smaller_function : is_smaller_or_equal_function;
ret = op(result, &op2, &op1); op(result, &op2, &op1);
zval_ptr_dtor_nogc(&op1); zval_ptr_dtor_nogc(&op1);
zval_ptr_dtor_nogc(&op2); zval_ptr_dtor_nogc(&op2);
ret = EG(exception) ? FAILURE : SUCCESS;
} }
break; break;
case ZEND_AST_UNARY_OP: case ZEND_AST_UNARY_OP:

3
Zend/zend_vm_def.h
View File

@@ -9050,7 +9050,6 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, ANY, REF)
value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT))); value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT)));
if (opline->extended_value & ZEND_BIND_REF) { if (opline->extended_value & ZEND_BIND_REF) {
i_zval_ptr_dtor(variable_ptr);
if (UNEXPECTED(!Z_ISREF_P(value))) { if (UNEXPECTED(!Z_ISREF_P(value))) {
zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference)); zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference));
GC_SET_REFCOUNT(ref, 2); GC_SET_REFCOUNT(ref, 2);
@@ -9065,9 +9064,11 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, ANY, REF)
ref->sources.ptr = NULL; ref->sources.ptr = NULL;
Z_REF_P(value) = ref; Z_REF_P(value) = ref;
Z_TYPE_INFO_P(value) = IS_REFERENCE_EX; Z_TYPE_INFO_P(value) = IS_REFERENCE_EX;
i_zval_ptr_dtor(variable_ptr);
ZVAL_REF(variable_ptr, ref); ZVAL_REF(variable_ptr, ref);
} else { } else {
Z_ADDREF_P(value); Z_ADDREF_P(value);
i_zval_ptr_dtor(variable_ptr);
ZVAL_REF(variable_ptr, Z_REF_P(value)); ZVAL_REF(variable_ptr, Z_REF_P(value));
if (OP2_TYPE != IS_UNUSED) { if (OP2_TYPE != IS_UNUSED) {
FREE_OP2(); FREE_OP2();

3
Zend/zend_vm_execute.h generated
View File

@@ -41767,7 +41767,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_HANDLER(ZE
value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT))); value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT)));
if (opline->extended_value & ZEND_BIND_REF) { if (opline->extended_value & ZEND_BIND_REF) {
i_zval_ptr_dtor(variable_ptr);
if (UNEXPECTED(!Z_ISREF_P(value))) { if (UNEXPECTED(!Z_ISREF_P(value))) {
zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference)); zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference));
GC_SET_REFCOUNT(ref, 2); GC_SET_REFCOUNT(ref, 2);
@@ -41782,9 +41781,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_HANDLER(ZE
ref->sources.ptr = NULL; ref->sources.ptr = NULL;
Z_REF_P(value) = ref; Z_REF_P(value) = ref;
Z_TYPE_INFO_P(value) = IS_REFERENCE_EX; Z_TYPE_INFO_P(value) = IS_REFERENCE_EX;
i_zval_ptr_dtor(variable_ptr);
ZVAL_REF(variable_ptr, ref); ZVAL_REF(variable_ptr, ref);
} else { } else {
Z_ADDREF_P(value); Z_ADDREF_P(value);
i_zval_ptr_dtor(variable_ptr);
ZVAL_REF(variable_ptr, Z_REF_P(value)); ZVAL_REF(variable_ptr, Z_REF_P(value));
if (opline->op2_type != IS_UNUSED) { if (opline->op2_type != IS_UNUSED) {
FREE_OP(opline->op2_type, opline->op2.var); FREE_OP(opline->op2_type, opline->op2.var);