PHP :: Bug #80173 :: Using return value of zend_assign_to

Bug #80173

Using return value of zend_assign_to_variable() is not safe

Submitted:

2020-10-02 10:33 UTC

Modified:

Votes:	1
Avg. Score:	1.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

nikic@php.net

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

7.4.11

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2020-10-02 10:33 UTC] nikic@php.net

Description:
------------
Reduced from oss-fuzz #25840:

<?php           
$a = new stdClass; 
$a->a =& $a;
var_dump($a->a = 0);

zend_assign_to_variable() returns variable_ptr, which might be destroyed by the assignment.

The root cause here is the same as in bug #80100, but the reproducer is more fundamental.

Probably the only way to address this is to add a separate version of zend_assign_to_variable() that accepts a zval to copy the value into, and perform that copy before disposing garbage.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-07-02 08:09 UTC] git@php.net

Automatic comment on behalf of nikic
Revision: https://github.com/php/php-src/commit/bdc60fa7da65d29ac603dd32f3824abf9e71f65f
Log: Fixed bug #80173

[2021-07-02 08:09 UTC] git@php.net

-Status: Open +Status: Closed

[2021-07-02 08:26 UTC] nikic@php.net

Related To: Bug #81190

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 07:01:29 2024 UTC