Fix GH-17162: zend_array_try_init() with dtor can cause engine UAF

nielsdos · nielsdos · commit ee0daa59dbae · 2024-12-15T20:11:40.000+01:00
Closes GH-17167.
diff --git a/NEWS b/NEWS
@@ -4,6 +4,8 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). (ilutov)
+  . Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
+    (nielsdos)
 
 - DBA:
   . Skip test if inifile is disabled. (orlitzky)
diff --git a/Zend/tests/gh17162.phpt b/Zend/tests/gh17162.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-17162 (zend_array_try_init() with dtor can cause engine UAF)
+--FILE--
+<?php
+class Test {
+    function __destruct() {
+        global $box;
+        $box->value = null;
+    }
+}
+$box = [new Test];
+// Using getimagesize() for the test because it's always available,
+// but any function that uses zend_try_array_init() would work.
+try {
+    getimagesize("dummy", $box);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Attempt to assign property "value" on null
diff --git a/Zend/zend_API.h b/Zend/zend_API.h
@@ -1478,7 +1478,10 @@ static zend_always_inline zval *zend_try_array_init_size(zval *zv, uint32_t size
 		}
 		zv = &ref->val;
 	}
-	zval_ptr_dtor(zv);
+	zval garbage;
+	ZVAL_COPY_VALUE(&garbage, zv);
+	ZVAL_NULL(zv);
+	zval_ptr_dtor(&garbage);
 	ZVAL_ARR(zv, arr);
 	return zv;
 }

Original file line number	Diff line number	Diff line change
`@@ -1478,7 +1478,10 @@ static zend_always_inline zval zend_try_array_init_size(zval zv, uint32_t size`
`1478`	`1478`	`}`
`1479`	`1479`	`zv = &ref->val;`
`1480`	`1480`	`}`
`1481`		`- zval_ptr_dtor(zv);`
	`1481`	`+ zval garbage;`
	`1482`	`+ ZVAL_COPY_VALUE(&garbage, zv);`
	`1483`	`+ ZVAL_NULL(zv);`
	`1484`	`+ zval_ptr_dtor(&garbage);`
`1482`	`1485`	`ZVAL_ARR(zv, arr);`
`1483`	`1486`	`return zv;`
`1484`	`1487`	`}`