Merge branch 'PHP-7.3' into PHP-7.4

cmb69 · cmb69 · commit fce8061ede48 · 2020-07-31T10:57:02.000+02:00
* PHP-7.3:
  Fix #79919: Stack use-after-scope in define()
diff --git a/NEWS b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
   . Fixed bug #79806 (realpath() erroneously resolves link to link). (cmb)
   . Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).
     (Santiago M. Mola)
+  . Fixed bug #79919 (Stack use-after-scope in define()). (cmb)
 
 - LDAP:
   . Fixed memory leaks. (ptomulik)
diff --git a/Zend/tests/bug79919.phpt b/Zend/tests/bug79919.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79919 (Stack use-after-scope in define())
+--SKIPIF--
+<?php
+if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+?>
+--FILE--
+<?php
+$b = error_log(0);
+$b = simplexml_load_string('<xml/>', null, $b);
+define(0, $b);
+?>
+--EXPECT--
+0
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
@@ -895,9 +895,7 @@ ZEND_FUNCTION(define)
 		case IS_OBJECT:
 			if (Z_TYPE(val_free) == IS_UNDEF) {
 				if (Z_OBJ_HT_P(val)->get) {
-					zval rv;
-					val = Z_OBJ_HT_P(val)->get(val, &rv);
-					ZVAL_COPY_VALUE(&val_free, val);
+					val = Z_OBJ_HT_P(val)->get(val, &val_free);
 					goto repeat;
 				} else if (Z_OBJ_HT_P(val)->cast_object) {
 					if (Z_OBJ_HT_P(val)->cast_object(val, &val_free, IS_STRING) == SUCCESS) {
