Merge branch 'PHP-8.1' into PHP-8.2

nielsdos · nielsdos · commit 0d12b3db64da · 2023-04-01T20:04:48.000+02:00
* PHP-8.1: Fix GH-10990: mail() throws TypeError after iterating over $additional_headers array by reference Fix GH-8841: php-cli core dump calling a badly formed function
diff --git a/NEWS b/NEWS
@@ -4,6 +4,8 @@ PHP                                                                        NEWS
 
 - Core:
   . Fix inconsistent float negation in constant expressions. (ilutov)
+  . Fixed bug GH-8841 (php-cli core dump calling a badly formed function).
+    (nielsdos)
 
 - DOM:
   . Fixed bug #80602 (Segfault when using DOMChildNode::before()).
@@ -16,6 +18,10 @@ PHP                                                                        NEWS
   . Handle indirect zvals and use up-to-date properties in
     SplFixedArray::__serialize. (nielsdos)
 
+- Standard:
+  . Fixed bug GH-10990 (mail() throws TypeError after iterating over
+    $additional_headers array by reference). (nielsdos)
+
 - Streams:
   . Fixed bug GH-10406 (feof() behavior change for UNIX based socket
     resources). (Jakub Zelenka)
diff --git a/Zend/tests/gh8841.phpt b/Zend/tests/gh8841.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-8841 (php-cli core dump calling a badly formed function)
+--FILE--
+<?php
+register_shutdown_function(function() {
+    echo "Before calling g()\n";
+    g(1);
+    echo "After calling g()\n";
+});
+
+register_shutdown_function(function() {
+    echo "Before calling f()\n";
+    f(1);
+    echo "After calling f()\n";
+});
+
+eval('function g($x): int { return $x; }');
+eval('function f($x): void { return $x; }');
+?>
+--EXPECTF--
+Fatal error: A void function must not return a value in %s on line %d
+Before calling g()
+After calling g()
+Before calling f()
+
+Fatal error: Uncaught Error: Call to undefined function f() in %s:%d
+Stack trace:
+#0 [internal function]: {closure}()
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -7302,11 +7302,7 @@ static zend_string *zend_begin_func_decl(znode *result, zend_op_array *op_array,
 	}
 
 	zend_register_seen_symbol(lcname, ZEND_SYMBOL_FUNCTION);
-	if (toplevel) {
-		if (UNEXPECTED(zend_hash_add_ptr(CG(function_table), lcname, op_array) == NULL)) {
-			do_bind_function_error(lcname, op_array, 1);
-		}
-	} else {
+	if (!toplevel) {
 		uint32_t func_ref = zend_add_dynamic_func_def(op_array);
 		if (op_array->fn_flags & ZEND_ACC_CLOSURE) {
 			opline = zend_emit_op_tmp(result, ZEND_DECLARE_LAMBDA_FUNCTION, NULL, NULL);
@@ -7331,7 +7327,7 @@ static void zend_compile_func_decl(znode *result, zend_ast *ast, bool toplevel)
 	zend_ast *stmt_ast = decl->child[2];
 	zend_ast *return_type_ast = decl->child[3];
 	bool is_method = decl->kind == ZEND_AST_METHOD;
-	zend_string *lcname = NULL;
+	zend_string *lcname;
 
 	zend_class_entry *orig_class_entry = CG(active_class_entry);
 	zend_op_array *orig_op_array = CG(active_op_array);
@@ -7435,6 +7431,11 @@ static void zend_compile_func_decl(znode *result, zend_ast *ast, bool toplevel)
 		CG(zend_lineno) = decl->start_lineno;
 		zend_check_magic_method_implementation(
 			CG(active_class_entry), (zend_function *) op_array, lcname, E_COMPILE_ERROR);
+	} else if (toplevel) {
+		/* Only register the function after a successful compile */
+		if (UNEXPECTED(zend_hash_add_ptr(CG(function_table), lcname, op_array) == NULL)) {
+			do_bind_function_error(lcname, op_array, true);
+		}
 	}
 
 	/* put the implicit return on the really last line */
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
@@ -136,6 +136,7 @@ static void php_mail_build_headers_elems(smart_str *s, zend_string *key, zval *v
 			zend_type_error("Header \"%s\" must only contain numeric keys, \"%s\" found", ZSTR_VAL(key), ZSTR_VAL(tmp_key));
 			break;
 		}
+		ZVAL_DEREF(tmp_val);
 		if (Z_TYPE_P(tmp_val) != IS_STRING) {
 			zend_type_error("Header \"%s\" must only contain values of type string, %s found", ZSTR_VAL(key), zend_zval_type_name(tmp_val));
 			break;
@@ -157,6 +158,7 @@ PHPAPI zend_string *php_mail_build_headers(HashTable *headers)
 			zend_type_error("Header name cannot be numeric, " ZEND_LONG_FMT " given", idx);
 			break;
 		}
+		ZVAL_DEREF(val);
 		/* https://tools.ietf.org/html/rfc2822#section-3.6 */
 		if (zend_string_equals_literal_ci(key, "orig-date")) {
 			PHP_MAIL_BUILD_HEADER_CHECK("orig-date", s, key, val);
diff --git a/ext/standard/tests/mail/gh10990.phpt b/ext/standard/tests/mail/gh10990.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-10990 (mail() throws TypeError after iterating over $additional_headers array by reference)
+--INI--
+sendmail_path=rubbish 2>/dev/null
+--SKIPIF--
+<?php
+if(substr(PHP_OS, 0, 3) == "WIN")
+  die("skip Won't run on Windows");
+?>
+--FILE--
+<?php
+$from = 'test@example.com';
+$headers = ['From' => &$from];
+var_dump(mail('test@example.com', 'Test', 'Test', $headers));
+?>
+--EXPECT--
+bool(false)
