Merge branch 'PHP-8.2' into PHP-8.3

nielsdos · nielsdos · commit 4fc336c78451 · 2023-12-17T11:50:42.000+01:00
* PHP-8.2: Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash Fix GH-12962: Double free of init_file in phpdbg_prompt.c
diff --git a/NEWS b/NEWS
@@ -28,6 +28,13 @@ PHP                                                                        NEWS
   . Added workaround for SELinux mprotect execheap issue.
     See https://bugzilla.kernel.org/show_bug.cgi?id=218258. (ilutov)
 
+- PHPDBG:
+  . Fixed bug GH-12962 (Double free of init_file in phpdbg_prompt.c). (nielsdos)
+
+- SimpleXML:
+  . Fix getting the address of an uninitialized property of a SimpleXMLElement
+    resulting in a crash. (nielsdos)
+
 07 Dec 2023, PHP 8.3.1RC1
 
 - Core:
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -625,6 +625,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
 
 	sxe = php_sxe_fetch_object(object);
 	GET_NODE(sxe, node);
+	if (UNEXPECTED(!node)) {
+		return &EG(error_zval);
+	}
 	name = ZSTR_VAL(zname);
 	node = sxe_get_element_by_name(sxe, node, name, &type);
 	if (node) {
diff --git a/ext/simplexml/tests/get_prop_address_not_initialized.phpt b/ext/simplexml/tests/get_prop_address_not_initialized.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Getting the address of an uninitialized property of a SimpleXMLElement
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+
+$rc = new ReflectionClass('SimpleXMLElement');
+$sxe = $rc->newInstanceWithoutConstructor();
+$sxe->a['b'] = 'b';
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: SimpleXMLElement is not properly initialized in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
@@ -363,7 +363,7 @@ void phpdbg_init(char *init_file, size_t init_file_len, bool use_default) /* {{{
 			}
 
 			ZEND_IGNORE_VALUE(asprintf(&init_file, "%s/%s", scan_dir, PHPDBG_INIT_FILENAME));
-			phpdbg_try_file_init(init_file, strlen(init_file), 1);
+			phpdbg_try_file_init(init_file, strlen(init_file), 0);
 			free(init_file);
 			if (i == -1) {
 				break;
diff --git a/sapi/phpdbg/tests/gh12962.phpt b/sapi/phpdbg/tests/gh12962.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-12962 (Double free of init_file in phpdbg_prompt.c)
+--SKIPIF--
+<?php
+if (!getenv('TEST_PHPDBG_EXECUTABLE')) die("SKIP: No TEST_PHPDBG_EXECUTABLE specified");
+?>
+--FILE--
+<?php
+putenv('PHP_INI_SCAN_DIR='.__DIR__."/gh12962");
+passthru($_ENV['TEST_PHPDBG_EXECUTABLE'] . " -q");
+?>
+--EXPECT--
+Executed .phpdbginit
diff --git a/sapi/phpdbg/tests/gh12962/.phpdbginit b/sapi/phpdbg/tests/gh12962/.phpdbginit
@@ -0,0 +1,2 @@
+ev "Executed .phpdbginit"
+q

Original file line number	Diff line number	Diff line change
`@@ -363,7 +363,7 @@ void phpdbg_init(char init_file, size_t init_file_len, bool use_default) / {{{`
`363`	`363`	`}`
`364`	`364`
`365`	`365`	`ZEND_IGNORE_VALUE(asprintf(&init_file, "%s/%s", scan_dir, PHPDBG_INIT_FILENAME));`
`366`		`- phpdbg_try_file_init(init_file, strlen(init_file), 1);`
	`366`	`+ phpdbg_try_file_init(init_file, strlen(init_file), 0);`
`367`	`367`	`free(init_file);`
`368`	`368`	`if (i == -1) {`
`369`	`369`	`break;`