Merge branch 'PHP-8.3'

iluuu1994 · iluuu1994 · commit e0a6dbcbf4ab · 2023-11-20T14:06:40.000+01:00
* PHP-8.3:
  Fix use-after-free of name in var-var with malicious error handler
diff --git a/Zend/tests/oss_fuzz_54325.phpt b/Zend/tests/oss_fuzz_54325.phpt
@@ -0,0 +1,19 @@
+--TEST--
+oss-fuzz #54325: Fix use-after-free of name in var-var with malicious error handler
+--FILE--
+<?php
+set_error_handler(function ($errno, $errstr) {
+    var_dump($errstr);
+    global $x;
+    $x = new stdClass;
+});
+
+// Needs to be non-interned string
+$x = strrev('foo');
+$$x++;
+var_dump($x);
+?>
+--EXPECT--
+string(23) "Undefined variable $oof"
+object(stdClass)#2 (0) {
+}
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1751,13 +1751,20 @@ ZEND_VM_C_LABEL(fetch_this):
 		} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
 			retval = &EG(uninitialized_zval);
 		} else {
+			if (OP1_TYPE == IS_CV) {
+				/* Keep name alive in case an error handler tries to free it. */
+				zend_string_addref(name);
+			}
 			zend_error(E_WARNING, "Undefined %svariable $%s",
 				(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
 			if (type == BP_VAR_RW && !EG(exception)) {
 				retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
 			} else {
 				retval = &EG(uninitialized_zval);
 			}
+			if (OP1_TYPE == IS_CV) {
+				zend_string_release(name);
+			}
 		}
 	/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
 	} else if (Z_TYPE_P(retval) == IS_INDIRECT) {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
