From b976bc44f16fa34450bf92345067b267c52cd7ee Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 1 Jul 2021 13:36:57 +0200 Subject: [PATCH] Fixed bug #81208 The number of populated positional arguments is argc. i may also include named args and thus try to dtor uninitialized zvals. --- NEWS | 4 ++++ ext/reflection/php_reflection.c | 2 +- ext/reflection/tests/bug81208.phpt | 28 ++++++++++++++++++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 ext/reflection/tests/bug81208.phpt diff --git a/NEWS b/NEWS index 97362c36691..1aee7783651 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,10 @@ PHP NEWS - PCRE: . Fixed bug #81101 (PCRE2 10.37 shows unexpected result). (Anatol) +- Reflection: + . Fixed bug #81208 (Segmentation fault while create newInstance from + attribute). (Nikita) + 17 Jun 2021, PHP 8.0.8 - Core: diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c index 64c5355fc83..dd447d41740 100644 --- a/ext/reflection/php_reflection.c +++ b/ext/reflection/php_reflection.c @@ -6435,7 +6435,7 @@ ZEND_METHOD(ReflectionAttribute, newInstance) for (uint32_t i = 0; i < attr->data->argc; i++) { zval val; if (FAILURE == zend_get_attribute_value(&val, attr->data, i, attr->scope)) { - attribute_ctor_cleanup(&obj, args, i, named_params); + attribute_ctor_cleanup(&obj, args, argc, named_params); RETURN_THROWS(); } if (attr->data->args[i].name) { diff --git a/ext/reflection/tests/bug81208.phpt b/ext/reflection/tests/bug81208.phpt new file mode 100644 index 00000000000..6b4753522d4 --- /dev/null +++ b/ext/reflection/tests/bug81208.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug #81208: Segmentation fault while create newInstance from attribute +--FILE-- +getProperty("property")->getAttributes() as $attribute) { + try { + $attribute->newInstance(); + } catch (Error $e) { + echo $e->getMessage(), "\n"; + } +} + +?> +--EXPECT-- +Undefined constant "asdasdasd"