Fixed bug #73900

2024-09-21 18:07:23 +00:00 · 2017-06-25 19:48:17 +02:00 · 2017-06-25 19:48:17 +02:00 · 2fddc4a7f1
commit 2fddc4a7f1
parent de66e80d75
3 changed files with 19 additions and 10 deletions
--- a/1
+++ b/1
@ -6,6 +6,7 @@ PHP                                                                        NEWS
  . Fixed bug #74780 (parse_url() borken when query string contains colon). 
    (jhdxr)
  . Fixed bug #74761 (Unary operator expected error on some systems). (petk)
+  . Fixed bug #73900 (Use After Free in unserialize() SplFixedArray). (nikic)

 - SPL:
  . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)
--- a/Zend/tests/bug73900.phpt
+++ b/Zend/tests/bug73900.phpt
@ -0,0 +1,15 @@
+--TEST--
+Bug #73900: Use After Free in unserialize() SplFixedArray
+--FILE--
+<?php
+
+$a = new stdClass;
+$b = new SplFixedArray(1);
+$b[0] = $a;
+$c = &$b[0];
+var_dump($c);
+
+?>
+--EXPECT--
+object(stdClass)#1 (0) {
+}
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@ -1758,16 +1758,9 @@ convert_to_array:
 				zend_error(E_NOTICE, "Indirect modification of overloaded element of %s has no effect", ZSTR_VAL(ce->name));
 			} else if (EXPECTED(retval && Z_TYPE_P(retval) != IS_UNDEF)) {
 				if (!Z_ISREF_P(retval)) {
-					if (Z_REFCOUNTED_P(retval) &&
-					    Z_REFCOUNT_P(retval) > 1) {
-						if (Z_TYPE_P(retval) != IS_OBJECT) {
-							Z_DELREF_P(retval);
-							ZVAL_DUP(result, retval);
-							retval = result;
-						} else {
-							ZVAL_COPY_VALUE(result, retval);
-							retval = result;
-						}
+					if (result != retval) {
+						ZVAL_COPY(result, retval);
+						retval = result;
 					}
 					if (Z_TYPE_P(retval) != IS_OBJECT) {
 						zend_class_entry *ce = Z_OBJCE_P(container);