From 6e5ef7224b3d119e27c65102de1c0eda02979944 Mon Sep 17 00:00:00 2001 From: Florian Sowade Date: Thu, 18 Nov 2021 16:16:37 +0100 Subject: [PATCH 1/3] Fixed bug #81430 Check if the runtime cache pointer is NULL before dereferencing it. --- Zend/zend_observer.c | 1 + ext/zend_test/tests/observer_bug81430_1.phpt | 26 ++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 ext/zend_test/tests/observer_bug81430_1.phpt diff --git a/Zend/zend_observer.c b/Zend/zend_observer.c index b970acd85c8e5..08c09e8ff1773 100644 --- a/Zend/zend_observer.c +++ b/Zend/zend_observer.c @@ -229,6 +229,7 @@ ZEND_API void ZEND_FASTCALL zend_observer_fcall_end( zend_execute_data *ex = execute_data->prev_execute_data; while (ex && (!ex->func || ex->func->type == ZEND_INTERNAL_FUNCTION || !ZEND_OBSERVABLE_FN(ex->func->common.fn_flags) + || !&RUN_TIME_CACHE(&ex->func->op_array) || !ZEND_OBSERVER_DATA(&ex->func->op_array) || ZEND_OBSERVER_DATA(&ex->func->op_array) == ZEND_OBSERVER_NOT_OBSERVED)) { ex = ex->prev_execute_data; diff --git a/ext/zend_test/tests/observer_bug81430_1.phpt b/ext/zend_test/tests/observer_bug81430_1.phpt new file mode 100644 index 0000000000000..a3353911ae060 --- /dev/null +++ b/ext/zend_test/tests/observer_bug81430_1.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #81430 (Attribute instantiation frame has no run time cache) +--INI-- +memory_limit=20M +zend_test.observer.enabled=1 +zend_test.observer.observe_all=1 +--FILE-- +getAttributes(A::class)[0], 'newInstance']); +--EXPECTF-- + + + + + + From a8aa2e442af88a4467be61291b7876ef13beb63b Mon Sep 17 00:00:00 2001 From: Florian Sowade Date: Thu, 25 Nov 2021 14:50:54 +0100 Subject: [PATCH 2/3] Add failing test for dangling pointer access zend_observer_fcall_end_all accesses a dangling pointer when the execute_data was allocated on the stack. --- ext/zend_test/tests/observer_bug81430_2.phpt | 32 ++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 ext/zend_test/tests/observer_bug81430_2.phpt diff --git a/ext/zend_test/tests/observer_bug81430_2.phpt b/ext/zend_test/tests/observer_bug81430_2.phpt new file mode 100644 index 0000000000000..c07488b1c81e4 --- /dev/null +++ b/ext/zend_test/tests/observer_bug81430_2.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #81430 (Attribute instantiation leaves dangling execute_data pointer) +--INI-- +memory_limit=20M +zend_test.observer.enabled=1 +zend_test.observer.observe_all=1 +--XFAIL-- +The stack allocated execute_data is invalid in zend_observer_fcall_end_all +--FILE-- +getAttributes(A::class)[0], 'newInstance']); +--EXPECTF-- + + + + + +Fatal error: Allowed memory size of 20971520 bytes exhausted %s in %s on line %d + + From 1272778d6b9a36233091d4a515e0b203417373c4 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 27 Dec 2021 16:12:56 +0100 Subject: [PATCH 3/3] Attempt to fix tests --- ext/zend_test/tests/observer_bug81430_1.phpt | 1 + ext/zend_test/tests/observer_bug81430_2.phpt | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ext/zend_test/tests/observer_bug81430_1.phpt b/ext/zend_test/tests/observer_bug81430_1.phpt index a3353911ae060..830112b1b5370 100644 --- a/ext/zend_test/tests/observer_bug81430_1.phpt +++ b/ext/zend_test/tests/observer_bug81430_1.phpt @@ -17,6 +17,7 @@ function B() {} $r = new \ReflectionFunction("B"); call_user_func([$r->getAttributes(A::class)[0], 'newInstance']); +?> --EXPECTF-- diff --git a/ext/zend_test/tests/observer_bug81430_2.phpt b/ext/zend_test/tests/observer_bug81430_2.phpt index c07488b1c81e4..d0f23c371c4d7 100644 --- a/ext/zend_test/tests/observer_bug81430_2.phpt +++ b/ext/zend_test/tests/observer_bug81430_2.phpt @@ -21,12 +21,13 @@ function B() {} $r = new \ReflectionFunction("B"); call_user_func([$r->getAttributes(A::class)[0], 'newInstance']); +?> --EXPECTF-- -Fatal error: Allowed memory size of 20971520 bytes exhausted %s in %s on line %d +Fatal error: Allowed memory size of %d bytes exhausted %s in %s on line %d