mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Merge branch 'PHP-7.4'
* PHP-7.4: Reset trampoline on executor startup Fix UAF in is_callable() and allocated trampoline
This commit is contained in:
commit
cb7b21009b
27
Zend/tests/is_callable_trampoline_uaf.phpt
Normal file
27
Zend/tests/is_callable_trampoline_uaf.phpt
Normal file
@ -0,0 +1,27 @@
|
||||
--TEST--
|
||||
is_callable() with trampoline should not caused UAF
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
class B {}
|
||||
class A extends B {
|
||||
public function bar($func) {
|
||||
var_dump(is_callable(array('parent', 'foo')));
|
||||
}
|
||||
|
||||
public function __call($func, $args) {
|
||||
}
|
||||
}
|
||||
|
||||
class X {
|
||||
public static function __callStatic($func, $args) {
|
||||
}
|
||||
}
|
||||
|
||||
$a = new A();
|
||||
// Extra X::foo() wrapper to force use of allocated trampoline.
|
||||
X::foo($a->bar('foo'));
|
||||
|
||||
?>
|
||||
--EXPECT--
|
||||
bool(false)
|
@ -2963,12 +2963,7 @@ get_function_via_handler:
|
||||
if (strict_class &&
|
||||
(!fcc->function_handler->common.scope ||
|
||||
!instanceof_function(ce_org, fcc->function_handler->common.scope))) {
|
||||
if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
|
||||
if (fcc->function_handler->common.function_name) {
|
||||
zend_string_release_ex(fcc->function_handler->common.function_name, 0);
|
||||
}
|
||||
zend_free_trampoline(fcc->function_handler);
|
||||
}
|
||||
zend_release_fcall_info_cache(fcc);
|
||||
} else {
|
||||
retval = 1;
|
||||
call_via_handler = (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) != 0;
|
||||
|
@ -173,6 +173,7 @@ void init_executor(void) /* {{{ */
|
||||
EG(prev_exception) = NULL;
|
||||
|
||||
EG(fake_scope) = NULL;
|
||||
EG(trampoline).common.function_name = NULL;
|
||||
|
||||
EG(ht_iterators_count) = sizeof(EG(ht_iterators_slots)) / sizeof(HashTableIterator);
|
||||
EG(ht_iterators_used) = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user