Merge branch 'PHP-8.0' into PHP-8.1

dstogov · dstogov · commit ba6bb8579a5d · 2022-03-01T01:34:17.000+03:00
* PHP-8.0:
  Fix use after free
diff --git a/Zend/tests/generators/errors/resume_running_generator_error_003.phpt b/Zend/tests/generators/errors/resume_running_generator_error_003.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Use-after-free when resume an already running generator
+--FILE--
+<?php
+function gen(){
+    $g = yield;
+    $g->send($y);
+}
+$gen=gen();
+try {
+    $gen->send($gen);
+}catch(y) {
+}
+?>
+--EXPECTF--
+Warning: Undefined variable $y in %sresume_running_generator_error_003.php on line 4
+
+Fatal error: Uncaught Error: Cannot resume an already running generator in %sresume_running_generator_error_003.php:4
+Stack trace:
+#0 %sresume_running_generator_error_003.php(4): Generator->send(NULL)
+#1 [internal function]: gen()
+#2 %sresume_running_generator_error_003.php(8): Generator->send(Object(Generator))
+#3 {main}
+  thrown in %sresume_running_generator_error_003.php on line 4
diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
@@ -919,8 +919,7 @@ ZEND_METHOD(Generator, send)
 
 	root = zend_generator_get_current(generator);
 	/* Put sent value in the target VAR slot, if it is used */
-	if (root->send_target) {
-		zval_ptr_dtor(root->send_target);
+	if (root->send_target && !(root->flags & ZEND_GENERATOR_CURRENTLY_RUNNING)) {
 		ZVAL_COPY(root->send_target, value);
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -919,8 +919,7 @@ ZEND_METHOD(Generator, send)`
`919`	`919`
`920`	`920`	`root = zend_generator_get_current(generator);`
`921`	`921`	`/* Put sent value in the target VAR slot, if it is used */`
`922`		`- if (root->send_target) {`
`923`		`- zval_ptr_dtor(root->send_target);`
	`922`	`+ if (root->send_target && !(root->flags & ZEND_GENERATOR_CURRENTLY_RUNNING)) {`
`924`	`923`	`ZVAL_COPY(root->send_target, value);`
`925`	`924`	`}`
`926`	`925`