clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 09:57:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix #81430: Attribute instantiation leaves dangling pointer

Browse Source 
By switching attribute constructor stackframe to be called via
trampoline the stack allocation is not causing dangling pointers
in the zend_observer API anymore.

Co-Authored-By: Florian Sowade <f.sowade@suora.com>
Co-Authored-By: Christopher Becker <cmbecker69@gmx.de>
Co-Authored-By: Dmitry Stogov <dmitry@zend.com>

Closes GH-7885.
This commit is contained in:
Benjamin Eberlei 2022-01-05 11:09:25 +01:00 committed by Christoph M. Becker
parent c99a026c9c
commit 2f6a06ccb0
No known key found for this signature in database
GPG Key ID: D66C9593118BCCB6
4 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2022, PHP 8.0.16
- Core:
. Fixed bug #81430 (Attribute instantiation leaves dangling pointer).
(beberlei)
- FPM:
. Fixed memory leak on invalid port. (David Carlier)

1
ext/reflection/php_reflection.c
View File

@ -6315,6 +6315,7 @@ static int call_attribute_constructor(
dummy_func.type = ZEND_USER_FUNCTION;
dummy_func.common.fn_flags =
attr->flags & ZEND_ATTRIBUTE_STRICT_TYPES ? ZEND_ACC_STRICT_TYPES : 0;
dummy_func.common.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE;
dummy_func.op_array.filename = filename;
dummy_opline.opcode = ZEND_DO_FCALL;

31
ext/zend_test/tests/observer_bug81430_1.phpt Normal file
View File

@ -0,0 +1,31 @@
--TEST--
Bug #81430 (Attribute instantiation frame accessing invalid frame pointer)
--EXTENSIONS--
zend_test
--INI--
memory_limit=20M
zend_test.observer.enabled=1
zend_test.observer.observe_all=1
--FILE--
<?php
#[\Attribute]
class A {
private $a;
public function __construct() {
}
}
#[A]
function B() {}
$r = new \ReflectionFunction("B");
call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
?>
--EXPECTF--
<!-- init '%s' -->
<file '%s'>
<!-- init A::__construct() -->
<A::__construct>
</A::__construct>
</file '%s'>

33
ext/zend_test/tests/observer_bug81430_2.phpt Normal file
View File

@ -0,0 +1,33 @@
--TEST--
Bug #81430 (Attribute instantiation leaves dangling execute_data pointer)
--EXTENSIONS--
zend_test
--INI--
memory_limit=20M
zend_test.observer.enabled=1
zend_test.observer.observe_all=1
--FILE--
<?php
#[\Attribute]
class A {
public function __construct() {
array_map("str_repeat", ["\xFF"], [100000000]); // cause a bailout
}
}
#[A]
function B() {}
$r = new \ReflectionFunction("B");
call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
?>
--EXPECTF--
<!-- init '%s' -->
<file '%s'>
<!-- init A::__construct() -->
<A::__construct>
Fatal error: Allowed memory size of %d bytes exhausted %s in %s on line %d
</A::__construct>
</file '%s'>