From 12844f96e2ef3b7be879682e4eb59579d9c171a4 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Wed, 25 Sep 2024 17:50:56 +0200 Subject: [PATCH] Fix use-after-free of object released in hook Fixes GH-16040 Closes GH-16058 --- NEWS | 3 +++ Zend/tests/property_hooks/gh16040.phpt | 20 ++++++++++++++++++++ Zend/zend_object_handlers.c | 4 ++-- 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 Zend/tests/property_hooks/gh16040.phpt diff --git a/NEWS b/NEWS index 22d40b50e95..bd6ff55966b 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.4.0RC2 +- Core: + . Fixed bug GH-16040 (Use-after-free of object released in hook). (ilutov) + - DOM: . Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c). (nielsdos) diff --git a/Zend/tests/property_hooks/gh16040.phpt b/Zend/tests/property_hooks/gh16040.phpt new file mode 100644 index 00000000000..f9dfd6f29d9 --- /dev/null +++ b/Zend/tests/property_hooks/gh16040.phpt @@ -0,0 +1,20 @@ +--TEST-- +GH-16040: Use-after-free of object released in hook +--FILE-- +bar); + +?> +--EXPECT-- +int(42) diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 64e494200ee..106ce278302 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -828,8 +828,8 @@ try_again: if (EXPECTED(cache_slot && zend_execute_ex == execute_ex - && zobj->ce->default_object_handlers->read_property == zend_std_read_property - && !zobj->ce->create_object + && ce->default_object_handlers->read_property == zend_std_read_property + && !ce->create_object && !zend_is_in_hook(prop_info) && !(prop_info->hooks[ZEND_PROPERTY_HOOK_GET]->common.fn_flags & ZEND_ACC_RETURN_REFERENCE))) { ZEND_SET_PROPERTY_HOOK_SIMPLE_GET(cache_slot);