php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch 0001-Add-refs-to-prop-names-to-avoid-use-after-free for Reflection related Bug #79820

Patch version 2020-07-15 05:44 UTC

Return to Bug #79820 | Download this patch
Patch Revisions:

Developer: chris-broadbent@zencontrol.com

From 509498e02bfe006c3b738b5a085372d1e4d684a9 Mon Sep 17 00:00:00 2001
From: Christopher Broadbent <chris-broadbent@zencontrol.com>
Date: Wed, 15 Jul 2020 14:47:21 +1000
Subject: [PATCH] Add refs to prop names to avoid use after free

---
 ext/reflection/php_reflection.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index dbfb67386e..8ba69da9e1 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -238,6 +238,11 @@ static void reflection_free_objects_storage(zend_object *object) /* {{{ */
 		case REF_TYPE_PROPERTY:
 			prop_reference = (property_reference*)intern->ptr;
 			zend_string_release_ex(prop_reference->unmangled_name, 0);
+
+			if (ZEND_TYPE_IS_NAME(prop_reference->prop.type)) {
+				zend_string_delref(ZEND_TYPE_NAME(prop_reference->prop.type));
+			}
+
 			efree(intern->ptr);
 			break;
 		case REF_TYPE_GENERATOR:
@@ -1233,6 +1238,11 @@ static void reflection_property_factory(zend_class_entry *ce, zend_string *name,
 	intern = Z_REFLECTION_P(object);
 	reference = (property_reference*) emalloc(sizeof(property_reference));
 	reference->prop = *prop;
+
+	if (ZEND_TYPE_IS_NAME(reference->prop.type)) {
+		zend_string_addref(ZEND_TYPE_NAME(reference->prop.type));
+	}
+
 	reference->unmangled_name = zend_string_copy(name);
 	reference->dynamic = dynamic;
 	intern->ptr = reference;
@@ -5288,6 +5298,10 @@ ZEND_METHOD(reflection_property, __construct)
 	} else {
 		reference->prop = *property_info;
 		reference->dynamic = 0;
+
+		if (ZEND_TYPE_IS_NAME(reference->prop.type)) {
+			zend_string_addref(ZEND_TYPE_NAME(reference->prop.type));
+		}
 	}
 	reference->unmangled_name = zend_string_copy(name);
 	intern->ptr = reference;
-- 
2.24.1

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 20:01:29 2024 UTC