php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix double-free of doc_comment when overriding static property via trait

Browse Source 
When redeclaring an overridden static property with a trait we're removing the
property from the class. However, because the property itself does not belong to
the class we must not free its associated data.

This issue is exposed by 9a250cc9d6 in PHP 8.3+ because duplicate static
properties in traits are no longer skipped, but redeclared.

Fixes GH-12468
This commit is contained in:
Ilija Tovilo
2023-10-19 00:47:59 +02:00
parent 07d81592e9
commit af3d2f7ec9
4 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.1.26
- Core:
. Fixed bug GH-12468 (Double-free of doc_comment when overriding static
property via trait). (ilutov)
- DOM:
. Fix registerNodeClass with abstract class crashing. (nielsdos)

18
Zend/tests/gh12468_1.phpt Normal file
View File

@@ -0,0 +1,18 @@
--TEST--
GH-12468: Double-free of doc_comment when overriding static property via trait
--FILE--
<?php
trait T {
/** some doc */
static protected $a = 0;
}
class A {
use T;
}
class B extends A {
use T;
}
?>
===DONE===
--EXPECT--
===DONE===

19
Zend/tests/gh12468_2.phpt Normal file
View File

@@ -0,0 +1,19 @@
--TEST--
GH-12468: Double-free of doc_comment when overriding static property via trait
--FILE--
<?php
trait T {
/** some doc */
static protected $a = 0;
}
class A {
/** some doc */
static protected $a = 0;
}
class B extends A {
use T;
}
?>
===DONE===
--EXPECT--
===DONE===

4
Zend/zend_API.c
View File

@@ -4120,7 +4120,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
(property_info_ptr->flags & ZEND_ACC_STATIC) != 0) {
property_info->offset = property_info_ptr->offset;
zval_ptr_dtor(&ce->default_static_members_table[property_info->offset]);
if (property_info_ptr->doc_comment) {
if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
zend_string_release(property_info_ptr->doc_comment);
}
zend_hash_del(&ce->properties_info, name);
@@ -4145,7 +4145,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
(property_info_ptr->flags & ZEND_ACC_STATIC) == 0) {
property_info->offset = property_info_ptr->offset;
zval_ptr_dtor(&ce->default_properties_table[OBJ_PROP_TO_NUM(property_info->offset)]);
if (property_info_ptr->doc_comment) {
if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
zend_string_release_ex(property_info_ptr->doc_comment, 1);
}
zend_hash_del(&ce->properties_info, name);