From 76e2a8380e5e030412e9d565955d011972af8418 Mon Sep 17 00:00:00 2001
From: Florian Sowade <f.sowade@suora.com>
Date: Thu, 18 Nov 2021 16:16:37 +0100
Subject: [PATCH] Fix zend_observer_fcall_end_all() accessing dangling pointers

This may happen, when the execute_data was allocated on the stack.  We
ensure that the runtime cache pointer is not NULL before dereferencing
it.

This is a partial fix for bug 81430.

Closes GH-7665.
---
 NEWS                                         |  2 ++
 Zend/zend_observer.c                         |  1 +
 ext/zend_test/tests/observer_bug81430_1.phpt | 27 ++++++++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 ext/zend_test/tests/observer_bug81430_1.phpt

diff --git a/NEWS b/NEWS
index 30f8b64959f..cbbd41ab5e1 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fixed bug #81656 (GCC-11 silently ignores -R). (Michael Wallner)
   . Fixed bug #81585 (cached_chunks are not counted to real_size on shutdown).
     (cmb)
+  . Fixed zend_observer_fcall_end_all() accessing dangling pointers. (Florian
+    Sowade)
 
 - Filter:
   . Fixed FILTER_FLAG_NO_RES_RANGE flag. (Yifan Tong)
diff --git a/Zend/zend_observer.c b/Zend/zend_observer.c
index b970acd85c8..08c09e8ff17 100644
--- a/Zend/zend_observer.c
+++ b/Zend/zend_observer.c
@@ -229,6 +229,7 @@ ZEND_API void ZEND_FASTCALL zend_observer_fcall_end(
 		zend_execute_data *ex = execute_data->prev_execute_data;
 		while (ex && (!ex->func || ex->func->type == ZEND_INTERNAL_FUNCTION
 		          || !ZEND_OBSERVABLE_FN(ex->func->common.fn_flags)
+		          || !&RUN_TIME_CACHE(&ex->func->op_array)
 		          || !ZEND_OBSERVER_DATA(&ex->func->op_array)
 		          || ZEND_OBSERVER_DATA(&ex->func->op_array) == ZEND_OBSERVER_NOT_OBSERVED)) {
 			ex = ex->prev_execute_data;
diff --git a/ext/zend_test/tests/observer_bug81430_1.phpt b/ext/zend_test/tests/observer_bug81430_1.phpt
new file mode 100644
index 00000000000..830112b1b53
--- /dev/null
+++ b/ext/zend_test/tests/observer_bug81430_1.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #81430 (Attribute instantiation frame has no run time cache)
+--INI--
+memory_limit=20M
+zend_test.observer.enabled=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+#[\Attribute]
+class A {
+        public function __construct() {}
+}
+
+#[A]
+function B() {}
+
+$r = new \ReflectionFunction("B");
+call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
+?>
+--EXPECTF--
+<!-- init '%s' -->
+<file '%s'>
+  <!-- init A::__construct() -->
+  <A::__construct>
+  </A::__construct>
+</file '%s'>