php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.5'

Browse Source 
* PHP-8.5:
  Fix uaf for nested finally with repeated return type check
This commit is contained in:
Ilija Tovilo
2026-01-16 18:39:09 +01:00
parent e85550f09d ac0dc9859a
commit eca7494122
3 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
Zend/tests/oss_fuzz_438780145.phpt Normal file
View File

@@ -0,0 +1,27 @@
--TEST--
OSS-Fuzz #438780145: Nested finally with repeated return type check may uaf
--FILE--
<?php
function &test(): int {
$x = 0;
try {
return $x;
} finally {
try {
return $x;
} finally {
$x = "";
}
}
}
test();
?>
--EXPECTF--
Fatal error: Uncaught TypeError: test(): Return value must be of type int, string returned in %s:%d
Stack trace:
#0 %s(%d): test()
#1 {main}
thrown in %s on line %d

4
Zend/zend_vm_def.h
View File

@@ -8624,6 +8624,10 @@ ZEND_VM_HANDLER(159, ZEND_DISCARD_EXCEPTION, ANY, ANY)
zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);
zval_ptr_dtor(return_value);
/* Clear return value in case we hit both DISCARD_EXCEPTION and
* zend_dispatch_try_catch_finally_helper, which will free the return
* value again. See OSS-Fuzz #438780145. */
ZVAL_NULL(return_value);
}
/* cleanup delayed exception */

8
Zend/zend_vm_execute.h generated
View File

@@ -3498,6 +3498,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_FUNC_CCONV ZEND_DISCARD_EXCEP
zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);
zval_ptr_dtor(return_value);
/* Clear return value in case we hit both DISCARD_EXCEPTION and
* zend_dispatch_try_catch_finally_helper, which will free the return
* value again. See OSS-Fuzz #438780145. */
ZVAL_NULL(return_value);
}
/* cleanup delayed exception */
@@ -59153,6 +59157,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_CCONV ZEND_DISCARD_EXCEPTION_
zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);
zval_ptr_dtor(return_value);
/* Clear return value in case we hit both DISCARD_EXCEPTION and
* zend_dispatch_try_catch_finally_helper, which will free the return
* value again. See OSS-Fuzz #438780145. */
ZVAL_NULL(return_value);
}
/* cleanup delayed exception */