Commit d15e227

committed

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix uaf in SplDoublyLinkedList::offsetSet()

2 parents a8bbc84 + e5d837c commit d15e227Copy full SHA for d15e227

File tree

+34

-1

lines changed

+34

-1

lines changed

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,8 @@ PHP NEWS`
`82`	`82`
`83`	`83`	`- SPL:`
`84`	`84`	`. Fixed bug GH-16337 (Use-after-free in SplHeap). (nielsdos)`
	`85`	`+ . Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).`
	`86`	`+ (ilutov)`
`85`	`87`
`86`	`88`	`- Standard:`
`87`	`89`	`. Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -726,8 +726,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetSet)`
`726`	`726`	`if (element != NULL) {`
`727`	`727`	`/* the element is replaced, delref the old one as in`
`728`	`728`	`* SplDoublyLinkedList::pop() */`
`729`		`- zval_ptr_dtor(&element->data);`
	`729`	`+ zval garbage;`
	`730`	`+ ZVAL_COPY_VALUE(&garbage, &element->data);`
`730`	`731`	`ZVAL_COPY(&element->data, value);`
	`732`	`+ zval_ptr_dtor(&garbage);`
`731`	`733`	`} else {`
`732`	`734`	`zval_ptr_dtor(value);`
`733`	`735`	`zend_argument_error(spl_ce_OutOfRangeException, 1, "is an invalid offset");`

Lines changed: 29 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,29 @@`
	`1`	`+--TEST--`
	`2`	`+GH-16464: Use-after-free in SplDoublyLinkedList::offsetSet() when modifying list in destructor of overwritten object`
	`3`	`+--FILE--`
	`4`	`+<?php`
	`5`	`+`
	`6`	`+class C {`
	`7`	`+ public $a;`
	`8`	`+`
	`9`	`+ function __destruct() {`
	`10`	`+ global $list;`
	`11`	`+ var_dump($list->pop());`
	`12`	`+ }`
	`13`	`+}`
	`14`	`+`
	`15`	`+$list = new SplDoublyLinkedList;`
	`16`	`+$list->add(0, new C);`
	`17`	`+$list[0] = 42;`
	`18`	`+var_dump($list);`
	`19`	`+`
	`20`	`+?>`
	`21`	`+--EXPECTF--`
	`22`	`+int(42)`
	`23`	`+object(SplDoublyLinkedList)#%d (2) {`
	`24`	`+ ["flags":"SplDoublyLinkedList":private]=>`
	`25`	`+ int(0)`
	`26`	`+ ["dllist":"SplDoublyLinkedList":private]=>`
	`27`	`+ array(0) {`
	`28`	`+ }`
	`29`	`+}`

Comments

(0)