From 46a15ed439c5e8dc52ac854541e61cc69223b62e Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 15 Nov 2025 18:11:14 +0100 Subject: [PATCH] Fix crash in property existence test in ext/zip When type == 2, the zval is not initialized, so zval_ptr_dtor() on it will crash. Unfortunately couldn't test with property_exists() or Reflection because they have fast paths that go through the property info, but fortunately there are paths that don't implement a fast path (e.g. because it doesn't make sense at that point), like with array_column(). So we use array_column() to trigger the crash. Closes GH-20496. --- NEWS | 3 +++ ext/zip/php_zip.c | 3 +-- ext/zip/tests/property_existence_test.phpt | 20 ++++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 ext/zip/tests/property_existence_test.phpt diff --git a/NEWS b/NEWS index 5ddc2633d19..fc03fd36f15 100644 --- a/NEWS +++ b/NEWS @@ -42,6 +42,9 @@ PHP NEWS . Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche) +- Zip: + . Fix crash in property existence test. (ndossche) + 20 Nov 2025, PHP 8.3.28 - Core: diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 66f651e46e3..15f55cba712 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -977,9 +977,8 @@ static int php_zip_has_property(zend_object *object, zend_string *name, int type } else if (type == 0) { retval = (Z_TYPE(tmp) != IS_NULL); } + zval_ptr_dtor(&tmp); } - - zval_ptr_dtor(&tmp); } else { retval = zend_std_has_property(object, name, type, cache_slot); } diff --git a/ext/zip/tests/property_existence_test.phpt b/ext/zip/tests/property_existence_test.phpt new file mode 100644 index 00000000000..855bf73464a --- /dev/null +++ b/ext/zip/tests/property_existence_test.phpt @@ -0,0 +1,20 @@ +--TEST-- +Property existence test can cause a crash +--EXTENSIONS-- +zip +--FILE-- + +--CLEAN-- + +--EXPECT-- +array(1) { + [0]=> + int(-1) +}