php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.4' into PHP-8.5

Browse Source 
* PHP-8.4:
  Fix uaf for nested finally with repeated return type check
This commit is contained in:
Ilija Tovilo
2026-01-16 18:38:53 +01:00
parent da6f1230c2 19b30032c9
commit ac0dc9859a
4 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@@ -18,6 +18,8 @@ PHP NEWS
. Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). (Bob)
. Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked
backing value). (ilutov)
. Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may
uaf). (ilutov)
- Date:
. Update timelib to 2022.16. (Derick)

27
Zend/tests/oss_fuzz_438780145.phpt Normal file
View File

@@ -0,0 +1,27 @@
--TEST--
OSS-Fuzz #438780145: Nested finally with repeated return type check may uaf
--FILE--
<?php
function &test(): int {
$x = 0;
try {
return $x;
} finally {
try {
return $x;
} finally {
$x = "";
}
}
}
test();
?>
--EXPECTF--
Fatal error: Uncaught TypeError: test(): Return value must be of type int, string returned in %s:%d
Stack trace:
#0 %s(%d): test()
#1 {main}
thrown in %s on line %d

4
Zend/zend_vm_def.h
View File

@@ -8624,6 +8624,10 @@ ZEND_VM_HANDLER(159, ZEND_DISCARD_EXCEPTION, ANY, ANY)
zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);
zval_ptr_dtor(return_value);
/* Clear return value in case we hit both DISCARD_EXCEPTION and
* zend_dispatch_try_catch_finally_helper, which will free the return
* value again. See OSS-Fuzz #438780145. */
ZVAL_NULL(return_value);
}
/* cleanup delayed exception */

8
Zend/zend_vm_execute.h generated
View File

@@ -3498,6 +3498,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_FUNC_CCONV ZEND_DISCARD_EXCEP
zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);
zval_ptr_dtor(return_value);
/* Clear return value in case we hit both DISCARD_EXCEPTION and
* zend_dispatch_try_catch_finally_helper, which will free the return
* value again. See OSS-Fuzz #438780145. */
ZVAL_NULL(return_value);
}
/* cleanup delayed exception */
@@ -59133,6 +59137,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_CCONV ZEND_DISCARD_EXCEPTION_
zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);
zval_ptr_dtor(return_value);
/* Clear return value in case we hit both DISCARD_EXCEPTION and
* zend_dispatch_try_catch_finally_helper, which will free the return
* value again. See OSS-Fuzz #438780145. */
ZVAL_NULL(return_value);
}
/* cleanup delayed exception */