mirror of
https://github.com/php/php-src.git
synced 2024-09-21 09:57:23 +00:00
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2: Fix use-after-free in property coercion with __toString()
This commit is contained in:
commit
aca2322801
2
NEWS
2
NEWS
@ -10,6 +10,8 @@ PHP NEWS
|
|||||||
(nielsdos)
|
(nielsdos)
|
||||||
. Fixed OSS-Fuzz #69765. (nielsdos)
|
. Fixed OSS-Fuzz #69765. (nielsdos)
|
||||||
. Fixed bug GH-14741 (Segmentation fault in Zend/zend_types.h). (nielsdos)
|
. Fixed bug GH-14741 (Segmentation fault in Zend/zend_types.h). (nielsdos)
|
||||||
|
. Fixed bug GH-14969 (Use-after-free in property coercion with __toString()).
|
||||||
|
(ilutov)
|
||||||
|
|
||||||
- Dom:
|
- Dom:
|
||||||
. Fixed bug GH-14702 (DOMDocument::xinclude() crash). (nielsdos)
|
. Fixed bug GH-14702 (DOMDocument::xinclude() crash). (nielsdos)
|
||||||
|
47
Zend/tests/gh14969.phpt
Normal file
47
Zend/tests/gh14969.phpt
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
--TEST--
|
||||||
|
GH-14969: Crash on coercion with throwing __toString()
|
||||||
|
--FILE--
|
||||||
|
<?php
|
||||||
|
|
||||||
|
class C {
|
||||||
|
public function __toString() {
|
||||||
|
global $c;
|
||||||
|
$c = [];
|
||||||
|
throw new Exception(__METHOD__);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
class D {
|
||||||
|
public string $prop;
|
||||||
|
}
|
||||||
|
|
||||||
|
$c = new C();
|
||||||
|
$d = new D();
|
||||||
|
try {
|
||||||
|
$d->prop = $c;
|
||||||
|
} catch (Throwable $e) {
|
||||||
|
echo $e->getMessage(), "\n";
|
||||||
|
}
|
||||||
|
var_dump($d);
|
||||||
|
|
||||||
|
$c = new C();
|
||||||
|
$d->prop = 'foo';
|
||||||
|
try {
|
||||||
|
$d->prop = $c;
|
||||||
|
} catch (Throwable $e) {
|
||||||
|
echo $e->getMessage(), "\n";
|
||||||
|
}
|
||||||
|
var_dump($d);
|
||||||
|
|
||||||
|
?>
|
||||||
|
--EXPECTF--
|
||||||
|
C::__toString
|
||||||
|
object(D)#%d (0) {
|
||||||
|
["prop"]=>
|
||||||
|
uninitialized(string)
|
||||||
|
}
|
||||||
|
C::__toString
|
||||||
|
object(D)#2 (1) {
|
||||||
|
["prop"]=>
|
||||||
|
string(3) "foo"
|
||||||
|
}
|
@ -846,7 +846,7 @@ ZEND_API zval *zend_std_write_property(zend_object *zobj, zend_string *name, zva
|
|||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
if (UNEXPECTED(!type_matched)) {
|
if (UNEXPECTED(!type_matched)) {
|
||||||
Z_TRY_DELREF_P(value);
|
zval_ptr_dtor(&tmp);
|
||||||
variable_ptr = &EG(error_zval);
|
variable_ptr = &EG(error_zval);
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
@ -949,7 +949,7 @@ write_std_property:
|
|||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
if (UNEXPECTED(!type_matched)) {
|
if (UNEXPECTED(!type_matched)) {
|
||||||
zval_ptr_dtor(value);
|
zval_ptr_dtor(&tmp);
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
value = &tmp;
|
value = &tmp;
|
||||||
|
Loading…
Reference in New Issue
Block a user