php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80173 Using return value of zend_assign_to_variable() is not safe
Submitted: 2020-10-02 10:33 UTC Modified: -
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: nikic@php.net Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.11 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2020-10-02 10:33 UTC] nikic@php.net
Description:
------------
Reduced from oss-fuzz #25840:

<?php           
$a = new stdClass; 
$a->a =& $a;
var_dump($a->a = 0);

zend_assign_to_variable() returns variable_ptr, which might be destroyed by the assignment.

The root cause here is the same as in bug #80100, but the reproducer is more fundamental.

Probably the only way to address this is to add a separate version of zend_assign_to_variable() that accepts a zval to copy the value into, and perform that copy before disposing garbage.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-02 08:09 UTC] git@php.net
Automatic comment on behalf of nikic
Revision: https://github.com/php/php-src/commit/bdc60fa7da65d29ac603dd32f3824abf9e71f65f
Log: Fixed bug #80173
 [2021-07-02 08:09 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 15:01:30 2024 UTC