Fix GH-17745: zlib extension incorrectly handles object arguments

Because of the "H" modifier in ZPP, there are two bugs: 1) The stub is wrong and will cause a crash in debug mode. 2) Non-dynamic properties are not read correctly because they are not DEINDIRECTed. Closes GH-17750.
2026-03-24 00:02:20 +01:00 · 2025-02-09 15:13:33 +01:00
parent 6ea1c7cb5b
commit 4b5c29ef50
5 changed files with 35 additions and 5 deletions
--- a/4
+++ b/4
@@ -38,6 +38,10 @@ PHP                                                                        NEWS
 - Streams:
  . Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos)

+- Zlib:
+  . Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
+    (nielsdos)
+
 13 Feb 2025, PHP 8.3.17

 - Core:
--- a/ext/zlib/tests/gh17745.phpt
+++ b/ext/zlib/tests/gh17745.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-17745 (zlib extension incorrectly handles object arguments)
+--EXTENSIONS--
+zlib
+--FILE--
+<?php
+$obj = new stdClass;
+$obj->level = 3;
+var_dump(deflate_init(ZLIB_ENCODING_RAW, $obj));
+
+class Options {
+    public int $level = 3;
+}
+var_dump(deflate_init(ZLIB_ENCODING_RAW, new Options));
+?>
+--EXPECT--
+object(DeflateContext)#2 (0) {
+}
+object(DeflateContext)#3 (0) {
+}
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@@ -790,6 +790,7 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
 	zval *option_buffer;

 	if (options && (option_buffer = zend_hash_str_find(options, ZEND_STRL("dictionary"))) != NULL) {
+		ZVAL_DEINDIRECT(option_buffer);
 		ZVAL_DEREF(option_buffer);
 		switch (Z_TYPE_P(option_buffer)) {
 			case IS_STRING: {
@@ -870,6 +871,7 @@ PHP_FUNCTION(inflate_init)
 	}

 	if (options && (option_buffer = zend_hash_str_find(options, ZEND_STRL("window"))) != NULL) {
+		ZVAL_DEINDIRECT(option_buffer);
 		window = zval_get_long(option_buffer);
 	}
 	if (window < 8 || window > 15) {
@@ -1088,6 +1090,7 @@ PHP_FUNCTION(deflate_init)
 	}

 	if (options && (option_buffer = zend_hash_str_find(options, ZEND_STRL("level"))) != NULL) {
+		ZVAL_DEINDIRECT(option_buffer);
 		level = zval_get_long(option_buffer);
 	}
 	if (level < -1 || level > 9) {
@@ -1096,6 +1099,7 @@ PHP_FUNCTION(deflate_init)
 	}

 	if (options && (option_buffer = zend_hash_str_find(options, ZEND_STRL("memory"))) != NULL) {
+		ZVAL_DEINDIRECT(option_buffer);
 		memory = zval_get_long(option_buffer);
 	}
 	if (memory < 1 || memory > 9) {
@@ -1104,6 +1108,7 @@ PHP_FUNCTION(deflate_init)
 	}

 	if (options && (option_buffer = zend_hash_str_find(options, ZEND_STRL("window"))) != NULL) {
+		ZVAL_DEINDIRECT(option_buffer);
 		window = zval_get_long(option_buffer);
 	}
 	if (window < 8 || window > 15) {
@@ -1112,6 +1117,7 @@ PHP_FUNCTION(deflate_init)
 	}

 	if (options && (option_buffer = zend_hash_str_find(options, ZEND_STRL("strategy"))) != NULL) {
+		ZVAL_DEINDIRECT(option_buffer);
 		strategy = zval_get_long(option_buffer);
 	}
 	switch (strategy) {
--- a/ext/zlib/zlib.stub.php
+++ b/ext/zlib/zlib.stub.php
@@ -270,11 +270,11 @@ function gzread($stream, int $length): string|false {}
 */
 function gzgets($stream, ?int $length = null): string|false {}

-function deflate_init(int $encoding, array $options = []): DeflateContext|false {}
+function deflate_init(int $encoding, array|object $options = []): DeflateContext|false {}

 function deflate_add(DeflateContext $context, string $data, int $flush_mode = ZLIB_SYNC_FLUSH): string|false {}

-function inflate_init(int $encoding, array $options = []): InflateContext|false {}
+function inflate_init(int $encoding, array|object $options = []): InflateContext|false {}

 function inflate_add(InflateContext $context, string $data, int $flush_mode = ZLIB_SYNC_FLUSH): string|false {}

--- a/ext/zlib/zlib_arginfo.h
+++ b/ext/zlib/zlib_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 3660ad3239f93c84b6909c36ddfcc92dd0773c70 */
+ * Stub hash: a86ccc292b5312e740a9d798bfcaf014513d5cce */

 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_ob_gzhandler, 0, 2, MAY_BE_STRING|MAY_BE_FALSE)
 	ZEND_ARG_TYPE_INFO(0, data, IS_STRING, 0)
@@ -106,7 +106,7 @@ ZEND_END_ARG_INFO()

 ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_deflate_init, 0, 1, DeflateContext, MAY_BE_FALSE)
 	ZEND_ARG_TYPE_INFO(0, encoding, IS_LONG, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, options, IS_ARRAY, 0, "[]")
+	ZEND_ARG_TYPE_MASK(0, options, MAY_BE_ARRAY|MAY_BE_OBJECT, "[]")
 ZEND_END_ARG_INFO()

 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_deflate_add, 0, 2, MAY_BE_STRING|MAY_BE_FALSE)
@@ -117,7 +117,7 @@ ZEND_END_ARG_INFO()

 ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_inflate_init, 0, 1, InflateContext, MAY_BE_FALSE)
 	ZEND_ARG_TYPE_INFO(0, encoding, IS_LONG, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, options, IS_ARRAY, 0, "[]")
+	ZEND_ARG_TYPE_MASK(0, options, MAY_BE_ARRAY|MAY_BE_OBJECT, "[]")
 ZEND_END_ARG_INFO()

 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_inflate_add, 0, 2, MAY_BE_STRING|MAY_BE_FALSE)