Merge branch 'PHP-8.2'

nielsdos · nielsdos · commit 3ab6e76ed857 · 2023-04-01T20:23:57.000+02:00
* PHP-8.2: Fix GH-10983: State-dependant segfault in ReflectionObject::getProperties Fix GH-10990: mail() throws TypeError after iterating over $additional_headers array by reference Fix GH-8841: php-cli core dump calling a badly formed function
diff --git a/Zend/tests/gh8841.phpt b/Zend/tests/gh8841.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-8841 (php-cli core dump calling a badly formed function)
+--FILE--
+<?php
+register_shutdown_function(function() {
+    echo "Before calling g()\n";
+    g(1);
+    echo "After calling g()\n";
+});
+
+register_shutdown_function(function() {
+    echo "Before calling f()\n";
+    f(1);
+    echo "After calling f()\n";
+});
+
+eval('function g($x): int { return $x; }');
+eval('function f($x): void { return $x; }');
+?>
+--EXPECTF--
+Fatal error: A void function must not return a value in %s on line %d
+Before calling g()
+After calling g()
+Before calling f()
+
+Fatal error: Uncaught Error: Call to undefined function f() in %s:%d
+Stack trace:
+#0 [internal function]: {closure}()
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -7409,11 +7409,7 @@ static zend_string *zend_begin_func_decl(znode *result, zend_op_array *op_array,
 	}
 
 	zend_register_seen_symbol(lcname, ZEND_SYMBOL_FUNCTION);
-	if (toplevel) {
-		if (UNEXPECTED(zend_hash_add_ptr(CG(function_table), lcname, op_array) == NULL)) {
-			do_bind_function_error(lcname, op_array, 1);
-		}
-	} else {
+	if (!toplevel) {
 		uint32_t func_ref = zend_add_dynamic_func_def(op_array);
 		if (op_array->fn_flags & ZEND_ACC_CLOSURE) {
 			opline = zend_emit_op_tmp(result, ZEND_DECLARE_LAMBDA_FUNCTION, NULL, NULL);
@@ -7438,7 +7434,7 @@ static void zend_compile_func_decl(znode *result, zend_ast *ast, bool toplevel)
 	zend_ast *stmt_ast = decl->child[2];
 	zend_ast *return_type_ast = decl->child[3];
 	bool is_method = decl->kind == ZEND_AST_METHOD;
-	zend_string *lcname = NULL;
+	zend_string *lcname;
 
 	zend_class_entry *orig_class_entry = CG(active_class_entry);
 	zend_op_array *orig_op_array = CG(active_op_array);
@@ -7542,6 +7538,11 @@ static void zend_compile_func_decl(znode *result, zend_ast *ast, bool toplevel)
 		CG(zend_lineno) = decl->start_lineno;
 		zend_check_magic_method_implementation(
 			CG(active_class_entry), (zend_function *) op_array, lcname, E_COMPILE_ERROR);
+	} else if (toplevel) {
+		/* Only register the function after a successful compile */
+		if (UNEXPECTED(zend_hash_add_ptr(CG(function_table), lcname, op_array) == NULL)) {
+			do_bind_function_error(lcname, op_array, true);
+		}
 	}
 
 	/* put the implicit return on the really last line */
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
@@ -4642,7 +4642,7 @@ ZEND_METHOD(ReflectionClass, getProperties)
 	if (Z_TYPE(intern->obj) != IS_UNDEF && (filter & ZEND_ACC_PUBLIC) != 0) {
 		HashTable *properties = Z_OBJ_HT(intern->obj)->get_properties(Z_OBJ(intern->obj));
 		zval *prop;
-		ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(properties, key, prop) {
+		ZEND_HASH_FOREACH_STR_KEY_VAL(properties, key, prop) {
 			_adddynproperty(prop, key, ce, return_value);
 		} ZEND_HASH_FOREACH_END();
 	}
diff --git a/ext/simplexml/tests/gh10983.phpt b/ext/simplexml/tests/gh10983.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-10983 (State-dependant segfault in ReflectionObject::getProperties)
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+
+$xml = <<<XML
+<form name="test"></form>
+XML;
+
+$simplexml = simplexml_load_string($xml);
+
+var_dump($simplexml['name']);
+$reflector = new ReflectionObject($simplexml['name']);
+$rprops = $reflector->getProperties();
+
+?>
+--EXPECT--
+object(SimpleXMLElement)#2 (1) {
+  [0]=>
+  string(4) "test"
+}
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
@@ -136,6 +136,7 @@ static void php_mail_build_headers_elems(smart_str *s, zend_string *key, zval *v
 			zend_type_error("Header \"%s\" must only contain numeric keys, \"%s\" found", ZSTR_VAL(key), ZSTR_VAL(tmp_key));
 			break;
 		}
+		ZVAL_DEREF(tmp_val);
 		if (Z_TYPE_P(tmp_val) != IS_STRING) {
 			zend_type_error("Header \"%s\" must only contain values of type string, %s found", ZSTR_VAL(key), zend_zval_value_name(tmp_val));
 			break;
@@ -157,6 +158,7 @@ PHPAPI zend_string *php_mail_build_headers(HashTable *headers)
 			zend_type_error("Header name cannot be numeric, " ZEND_LONG_FMT " given", idx);
 			break;
 		}
+		ZVAL_DEREF(val);
 		/* https://tools.ietf.org/html/rfc2822#section-3.6 */
 		if (zend_string_equals_literal_ci(key, "orig-date")) {
 			PHP_MAIL_BUILD_HEADER_CHECK("orig-date", s, key, val);
diff --git a/ext/standard/tests/mail/gh10990.phpt b/ext/standard/tests/mail/gh10990.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-10990 (mail() throws TypeError after iterating over $additional_headers array by reference)
+--INI--
+sendmail_path=rubbish 2>/dev/null
+--SKIPIF--
+<?php
+if(substr(PHP_OS, 0, 3) == "WIN")
+  die("skip Won't run on Windows");
+?>
+--FILE--
+<?php
+$from = 'test@example.com';
+$headers = ['From' => &$from];
+var_dump(mail('test@example.com', 'Test', 'Test', $headers));
+?>
+--EXPECT--
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -4642,7 +4642,7 @@ ZEND_METHOD(ReflectionClass, getProperties)`
`4642`	`4642`	`if (Z_TYPE(intern->obj) != IS_UNDEF && (filter & ZEND_ACC_PUBLIC) != 0) {`
`4643`	`4643`	`HashTable *properties = Z_OBJ_HT(intern->obj)->get_properties(Z_OBJ(intern->obj));`
`4644`	`4644`	`zval *prop;`
`4645`		`- ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(properties, key, prop) {`
	`4645`	`+ ZEND_HASH_FOREACH_STR_KEY_VAL(properties, key, prop) {`
`4646`	`4646`	`_adddynproperty(prop, key, ce, return_value);`
`4647`	`4647`	`} ZEND_HASH_FOREACH_END();`
`4648`	`4648`	`}`