Merge branch 'PHP-8.4'

iluuu1994 · iluuu1994 · commit 76138d6f0ff6 · 2024-10-17T18:26:01.000+02:00
* PHP-8.4:
  Fix uaf in SplFixedArray::unset()
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
@@ -459,8 +459,10 @@ static void spl_fixedarray_object_unset_dimension_helper(spl_fixedarray_object *
 		zend_throw_exception(spl_ce_OutOfBoundsException, "Index invalid or out of range", 0);
 		return;
 	} else {
-		zval_ptr_dtor(&(intern->array.elements[index]));
+		zval garbage;
+		ZVAL_COPY_VALUE(&garbage, &intern->array.elements[index]);
 		ZVAL_NULL(&intern->array.elements[index]);
+		zval_ptr_dtor(&garbage);
 	}
 }
 
diff --git a/ext/spl/tests/gh16478.phpt b/ext/spl/tests/gh16478.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-16478: Use-after-free in SplFixedArray::unset()
+--FILE--
+<?php
+
+class C {
+    function __destruct() {
+        global $arr;
+        $arr->setSize(0);
+    }
+}
+
+$arr = new SplFixedArray(2);
+$arr[0] = new C;
+unset($arr[0]);
+var_dump($arr);
+
+?>
+--EXPECT--
+object(SplFixedArray)#1 (0) {
+}

Original file line number	Diff line number	Diff line change
`@@ -459,8 +459,10 @@ static void spl_fixedarray_object_unset_dimension_helper(spl_fixedarray_object *`
`459`	`459`	`zend_throw_exception(spl_ce_OutOfBoundsException, "Index invalid or out of range", 0);`
`460`	`460`	`return;`
`461`	`461`	`} else {`
`462`		`- zval_ptr_dtor(&(intern->array.elements[index]));`
	`462`	`+ zval garbage;`
	`463`	`+ ZVAL_COPY_VALUE(&garbage, &intern->array.elements[index]);`
`463`	`464`	`ZVAL_NULL(&intern->array.elements[index]);`
	`465`	`+ zval_ptr_dtor(&garbage);`
`464`	`466`	`}`
`465`	`467`	`}`
`466`	`468`