From e0b1b693e35d582aa9b1c5357208a6e18ab90ccf Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Thu, 10 Oct 2024 23:07:03 +0200
Subject: [PATCH] Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release caused a UAF later
when the attribute was destroyed. This wasn't noticed earlier because
object_init_with_constructor() was only ever tested with interned
strings.

Closes GH-16349.
---
 NEWS                                        |  4 ++++
 Zend/tests/attributes/ossfuzz371445205.phpt | 17 +++++++++++++++++
 Zend/zend_API.c                             |  1 -
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/attributes/ossfuzz371445205.phpt

diff --git a/NEWS b/NEWS
index 0ade3a0b1bc..68d5ff5ea9c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - COM:
   . Fixed out of bound writes to SafeArray data. (cmb)
 
+- Core:
+  . Fixed bug OSS-Fuzz #371445205 (Heap-use-after-free in attr_free).
+    (nielsdos)
+
 - Curl:
   . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
     curl_multi_add_handle fails). (timwolla)
diff --git a/Zend/tests/attributes/ossfuzz371445205.phpt b/Zend/tests/attributes/ossfuzz371445205.phpt
new file mode 100644
index 00000000000..17e4f529a2a
--- /dev/null
+++ b/Zend/tests/attributes/ossfuzz371445205.phpt
@@ -0,0 +1,17 @@
+--TEST--
+OSS-Fuzz #371445205 (Heap-use-after-free in attr_free)
+--FILE--
+<?php
+#[Attribute]
+class MyAttrib{}
+#[MyAttrib(notinterned:'')]
+class Test1{}
+$attr=(new ReflectionClass(Test1::class))->getAttributes()[0];
+try {
+    $attr->newInstance();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Unknown named parameter $notinterned
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 35d093ff42b..fd5b7c8db79 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -1879,7 +1879,6 @@ ZEND_API zend_result object_init_with_constructor(zval *arg, zend_class_entry *c
 			zend_hash_get_current_key(named_params, &arg_name, /* num_index */ NULL);
 			ZEND_ASSERT(arg_name != NULL);
 			zend_throw_error(NULL, "Unknown named parameter $%s", ZSTR_VAL(arg_name));
-			zend_string_release(arg_name);
 			/* Do not call destructor, free object, and set arg to IS_UNDEF */
 			zend_object_store_ctor_failed(obj);
 			zval_ptr_dtor(arg);