php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.5'

Browse Source 
* PHP-8.5:
  Fix by-ref assignment to uninitialized hooked backing value
This commit is contained in:
Ilija Tovilo
2026-01-16 14:49:06 +01:00
parent 6e6a850cb9 da6f1230c2
commit e85550f09d
3 changed files with 58 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
Zend/tests/oss-fuzz-471486164-001.phpt Normal file
View File

@@ -0,0 +1,22 @@
--TEST--
OSS-Fuzz #471486164: get_property_ptr_ptr() on uninitialized hooked property
--FILE--
<?php
class C {
public $a {
get => $this->a;
set { $this->a = &$value; }
}
public $x = 1;
}
$proxy = (new ReflectionClass(C::class))->newLazyProxy(function ($proxy) {
$proxy->a = 1;
return new C;
});
var_dump($proxy->x);
?>
--EXPECT--
int(1)

26
Zend/tests/oss-fuzz-471486164-002.phpt Normal file
View File

@@ -0,0 +1,26 @@
--TEST--
OSS-Fuzz #471486164: get_property_ptr_ptr() on uninitialized hooked property
--FILE--
<?php
class C {
public int $a {
get => $this->a;
set {
global $ref;
$this->a = &$ref;
}
}
}
$ref = 1;
$proxy = new C;
$proxy->a = 1;
var_dump($proxy->a);
$ref++;
var_dump($proxy->a);
?>
--EXPECT--
int(1)
int(2)

11
Zend/zend_object_handlers.c
View File

@@ -1398,6 +1398,7 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
property_offset = zend_get_property_offset(zobj->ce, name, (zobj->ce->__get != NULL), cache_slot, &prop_info);
if (EXPECTED(IS_VALID_PROPERTY_OFFSET(property_offset))) {
try_again:
retval = OBJ_PROP(zobj, property_offset);
if (UNEXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {
if (EXPECTED(!zobj->ce->__get) ||
@@ -1477,7 +1478,15 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
}
retval = zend_hash_add(zobj->properties, name, &EG(uninitialized_zval));
}
} else if (!IS_HOOKED_PROPERTY_OFFSET(property_offset) && zobj->ce->__get == NULL) {
} else if (IS_HOOKED_PROPERTY_OFFSET(property_offset)) {
if (!(prop_info->flags & ZEND_ACC_VIRTUAL) && !zend_should_call_hook(prop_info, zobj)) {
property_offset = prop_info->offset;
if (!ZEND_TYPE_IS_SET(prop_info->type)) {
prop_info = NULL;
}
goto try_again;
}
} else if (zobj->ce->__get == NULL) {
retval = &EG(error_zval);
}