Patch 0001-Add-refs-to-prop-names-to-avoid-use-after-free for Reflection related Bug #79820
Patch version 2020-07-15 05:44 UTC
Return to Bug #79820 |
Download this patch
Patch Revisions:
Developer: chris-broadbent@zencontrol.com
From 509498e02bfe006c3b738b5a085372d1e4d684a9 Mon Sep 17 00:00:00 2001
From: Christopher Broadbent <chris-broadbent@zencontrol.com>
Date: Wed, 15 Jul 2020 14:47:21 +1000
Subject: [PATCH] Add refs to prop names to avoid use after free
---
ext/reflection/php_reflection.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index dbfb67386e..8ba69da9e1 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -238,6 +238,11 @@ static void reflection_free_objects_storage(zend_object *object) /* {{{ */
case REF_TYPE_PROPERTY:
prop_reference = (property_reference*)intern->ptr;
zend_string_release_ex(prop_reference->unmangled_name, 0);
+
+ if (ZEND_TYPE_IS_NAME(prop_reference->prop.type)) {
+ zend_string_delref(ZEND_TYPE_NAME(prop_reference->prop.type));
+ }
+
efree(intern->ptr);
break;
case REF_TYPE_GENERATOR:
@@ -1233,6 +1238,11 @@ static void reflection_property_factory(zend_class_entry *ce, zend_string *name,
intern = Z_REFLECTION_P(object);
reference = (property_reference*) emalloc(sizeof(property_reference));
reference->prop = *prop;
+
+ if (ZEND_TYPE_IS_NAME(reference->prop.type)) {
+ zend_string_addref(ZEND_TYPE_NAME(reference->prop.type));
+ }
+
reference->unmangled_name = zend_string_copy(name);
reference->dynamic = dynamic;
intern->ptr = reference;
@@ -5288,6 +5298,10 @@ ZEND_METHOD(reflection_property, __construct)
} else {
reference->prop = *property_info;
reference->dynamic = 0;
+
+ if (ZEND_TYPE_IS_NAME(reference->prop.type)) {
+ zend_string_addref(ZEND_TYPE_NAME(reference->prop.type));
+ }
}
reference->unmangled_name = zend_string_copy(name);
intern->ptr = reference;
--
2.24.1
|