Merge branch 'PHP-8.1' into PHP-8.2

iluuu1994 · iluuu1994 · commit d1fc88c726bc · 2023-03-31T14:42:35.000+02:00
* PHP-8.1:
  Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays
diff --git a/NEWS b/NEWS
@@ -9,6 +9,9 @@ PHP                                                                        NEWS
   . Fixed bug #80602 (Segfault when using DOMChildNode::before()).
     (Nathan Freeman)
 
+- PCRE:
+  . Fixed bug GH-10968 (Segfault in preg_replace_callback_array()). (ilutov)
+
 - SPL:
   . Handle indirect zvals and use up-to-date properties in
     SplFixedArray::__serialize. (nielsdos)
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
@@ -2457,7 +2457,12 @@ PHP_FUNCTION(preg_replace_callback_array)
 	}
 
 	if (subject_ht) {
-		RETURN_ARR(subject_ht);
+		RETVAL_ARR(subject_ht);
+		// Unset the type_flags of immutable arrays to prevent the VM from performing refcounting
+		if (GC_FLAGS(subject_ht) & IS_ARRAY_IMMUTABLE) {
+			Z_TYPE_FLAGS_P(return_value) = 0;
+		}
+		return;
 	} else {
 		RETURN_STR(subject_str);
 	}
diff --git a/ext/pcre/tests/gh10968.phpt b/ext/pcre/tests/gh10968.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-10968: preg_replace_callback_array() segmentation fault
+--FILE--
+<?php
+var_dump(preg_replace_callback_array([], []));
+var_dump(preg_replace_callback_array([], ''));
+?>
+--EXPECT--
+array(0) {
+}
+string(0) ""

Original file line number	Diff line number	Diff line change
`@@ -2457,7 +2457,12 @@ PHP_FUNCTION(preg_replace_callback_array)`
`2457`	`2457`	`}`
`2458`	`2458`
`2459`	`2459`	`if (subject_ht) {`
`2460`		`- RETURN_ARR(subject_ht);`
	`2460`	`+ RETVAL_ARR(subject_ht);`
	`2461`	`+ // Unset the type_flags of immutable arrays to prevent the VM from performing refcounting`
	`2462`	`+ if (GC_FLAGS(subject_ht) & IS_ARRAY_IMMUTABLE) {`
	`2463`	`+ Z_TYPE_FLAGS_P(return_value) = 0;`
	`2464`	`+ }`
	`2465`	`+ return;`
`2461`	`2466`	`} else {`
`2462`	`2467`	`RETURN_STR(subject_str);`
`2463`	`2468`	`}`