From af3d2f7ec98d3ef59800bde01183a75182944052 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Thu, 19 Oct 2023 00:47:59 +0200
Subject: [PATCH] Fix double-free of doc_comment when overriding static
 property via trait

When redeclaring an overridden static property with a trait we're removing the
property from the class. However, because the property itself does not belong to
the class we must not free its associated data.

This issue is exposed by 9a250cc9d6 in PHP 8.3+ because duplicate static
properties in traits are no longer skipped, but redeclared.

Fixes GH-12468
---
 NEWS                      |  4 ++++
 Zend/tests/gh12468_1.phpt | 18 ++++++++++++++++++
 Zend/tests/gh12468_2.phpt | 19 +++++++++++++++++++
 Zend/zend_API.c           |  4 ++--
 4 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/gh12468_1.phpt
 create mode 100644 Zend/tests/gh12468_2.phpt

diff --git a/NEWS b/NEWS
index d697dae5ee6..521972251c2 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.1.26
 
+- Core:
+  . Fixed bug GH-12468 (Double-free of doc_comment when overriding static
+    property via trait). (ilutov)
+
 - DOM:
   . Fix registerNodeClass with abstract class crashing. (nielsdos)
 
diff --git a/Zend/tests/gh12468_1.phpt b/Zend/tests/gh12468_1.phpt
new file mode 100644
index 00000000000..a02a28c3e35
--- /dev/null
+++ b/Zend/tests/gh12468_1.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-12468: Double-free of doc_comment when overriding static property via trait
+--FILE--
+<?php
+trait T {
+	/** some doc */
+	static protected $a = 0;
+}
+class A {
+	use T;
+}
+class B extends A {
+	use T;
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/tests/gh12468_2.phpt b/Zend/tests/gh12468_2.phpt
new file mode 100644
index 00000000000..3097cf532e2
--- /dev/null
+++ b/Zend/tests/gh12468_2.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-12468: Double-free of doc_comment when overriding static property via trait
+--FILE--
+<?php
+trait T {
+	/** some doc */
+	static protected $a = 0;
+}
+class A {
+	/** some doc */
+	static protected $a = 0;
+}
+class B extends A {
+	use T;
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 11781330466..5e89c918286 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -4120,7 +4120,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		    (property_info_ptr->flags & ZEND_ACC_STATIC) != 0) {
 			property_info->offset = property_info_ptr->offset;
 			zval_ptr_dtor(&ce->default_static_members_table[property_info->offset]);
-			if (property_info_ptr->doc_comment) {
+			if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
 				zend_string_release(property_info_ptr->doc_comment);
 			}
 			zend_hash_del(&ce->properties_info, name);
@@ -4145,7 +4145,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		    (property_info_ptr->flags & ZEND_ACC_STATIC) == 0) {
 			property_info->offset = property_info_ptr->offset;
 			zval_ptr_dtor(&ce->default_properties_table[OBJ_PROP_TO_NUM(property_info->offset)]);
-			if (property_info_ptr->doc_comment) {
+			if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
 				zend_string_release_ex(property_info_ptr->doc_comment, 1);
 			}
 			zend_hash_del(&ce->properties_info, name);