Fix uaf of MBSTRG(all_encodings_list)

We need to remove the value from the GC buffer before freeing it. Otherwise shutdown will uaf when running the gc. Do that by switching from zend_hash_destroy to zend_array_destroy, which should also be faster for freeing members due to inlining of i_zval_ptr_dtor. Closes GH-11822
2026-03-24 00:02:20 +01:00 · 2023-07-29 17:03:20 +02:00
parent 655f116be5
commit 7364b7bc0b
3 changed files with 13 additions and 2 deletions
--- a/3
+++ b/3
@@ -15,6 +15,9 @@ PHP                                                                        NEWS
 - FFI:
  . Fix leaking definitions when using FFI::cdef()->new(...). (ilutov)

+- MBString:
+  . Fix use-after-free of mb_list_encodings() return value. (ilutov)
+
 - Streams:
  . Fixed bug GH-11735 (Use-after-free when unregistering user stream wrapper
    from itself). (ilutov)
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -1159,8 +1159,7 @@ PHP_RSHUTDOWN_FUNCTION(mbstring)

 	if (MBSTRG(all_encodings_list)) {
 		GC_DELREF(MBSTRG(all_encodings_list));
-		zend_hash_destroy(MBSTRG(all_encodings_list));
-		efree(MBSTRG(all_encodings_list));
+		zend_array_destroy(MBSTRG(all_encodings_list));
 		MBSTRG(all_encodings_list) = NULL;
 	}

--- a/ext/mbstring/tests/mb_list_encodings_gc_uaf.phpt
+++ b/ext/mbstring/tests/mb_list_encodings_gc_uaf.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Use-after-free of MBSTRG(all_encodings_list) on shutdown
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+mb_list_encodings();
+?>
+--EXPECT--