PHP :: Bug #80173 :: Using return value of zend_assign_to

Bug #80173

Using return value of zend_assign_to_variable() is not safe

Submitted:

2020-10-02 10:33 UTC

Modified:

Votes:	1
Avg. Score:	1.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

nikic@php.net

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

7.4.11

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2020-10-02 10:33 UTC] nikic@php.net

Description:
------------
Reduced from oss-fuzz #25840:

<?php           
$a = new stdClass; 
$a->a =& $a;
var_dump($a->a = 0);

zend_assign_to_variable() returns variable_ptr, which might be destroyed by the assignment.

The root cause here is the same as in bug #80100, but the reproducer is more fundamental.

Probably the only way to address this is to add a separate version of zend_assign_to_variable() that accepts a zval to copy the value into, and perform that copy before disposing garbage.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-07-02 08:09 UTC] git@php.net

Automatic comment on behalf of nikic
Revision: https://github.com/php/php-src/commit/bdc60fa7da65d29ac603dd32f3824abf9e71f65f
Log: Fixed bug #80173

[2021-07-02 08:09 UTC] git@php.net

-Status: Open +Status: Closed

[2021-07-02 08:26 UTC] nikic@php.net

Related To: Bug #81190

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC