Merge branch 'PHP-8.3' into PHP-8.4

nielsdos · nielsdos · commit 4c751ec04cba · 2025-03-03T08:22:49.000+01:00
* PHP-8.3: Fix GH-17938: UAF with zend_test opline observer and magic_quotes_gpc=1 (#17958)
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -703,6 +703,15 @@ void * zend_test_custom_realloc(void * ptr, size_t len ZEND_FILE_LINE_DC ZEND_FI
 	return _zend_mm_realloc(ZT_G(zend_orig_heap), ptr, len ZEND_FILE_LINE_EMPTY_CC ZEND_FILE_LINE_EMPTY_CC);
 }
 
+static void zend_test_reset_heap(zend_zend_test_globals *zend_test_globals)
+{
+	if (zend_test_globals->zend_test_heap) {
+		free(zend_test_globals->zend_test_heap);
+		zend_test_globals->zend_test_heap = NULL;
+		zend_mm_set_heap(zend_test_globals->zend_orig_heap);
+	}
+}
+
 static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)
 {
 	if (new_value == NULL) {
@@ -724,10 +733,8 @@ static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)
 		);
 		ZT_G(zend_orig_heap) = zend_mm_get_heap();
 		zend_mm_set_heap(ZT_G(zend_test_heap));
-	} else if (ZT_G(zend_test_heap))  {
-		free(ZT_G(zend_test_heap));
-		ZT_G(zend_test_heap) = NULL;
-		zend_mm_set_heap(ZT_G(zend_orig_heap));
+	} else {
+		zend_test_reset_heap(ZEND_MODULE_GLOBALS_BULK(zend_test));
 	}
 	return OnUpdateBool(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
 }
@@ -1397,6 +1404,7 @@ static PHP_GINIT_FUNCTION(zend_test)
 static PHP_GSHUTDOWN_FUNCTION(zend_test)
 {
 	zend_test_observer_gshutdown(zend_test_globals);
+	zend_test_reset_heap(zend_test_globals);
 }
 
 PHP_MINFO_FUNCTION(zend_test)

Original file line number	Diff line number	Diff line change
`@@ -703,6 +703,15 @@ void * zend_test_custom_realloc(void * ptr, size_t len ZEND_FILE_LINE_DC ZEND_FI`
`703`	`703`	`return _zend_mm_realloc(ZT_G(zend_orig_heap), ptr, len ZEND_FILE_LINE_EMPTY_CC ZEND_FILE_LINE_EMPTY_CC);`
`704`	`704`	`}`
`705`	`705`
	`706`	`+static void zend_test_reset_heap(zend_zend_test_globals *zend_test_globals)`
	`707`	`+{`
	`708`	`+ if (zend_test_globals->zend_test_heap) {`
	`709`	`+ free(zend_test_globals->zend_test_heap);`
	`710`	`+ zend_test_globals->zend_test_heap = NULL;`
	`711`	`+ zend_mm_set_heap(zend_test_globals->zend_orig_heap);`
	`712`	`+ }`
	`713`	`+}`
	`714`	`+`
`706`	`715`	`static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)`
`707`	`716`	`{`
`708`	`717`	`if (new_value == NULL) {`
`@@ -724,10 +733,8 @@ static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)`
`724`	`733`	`);`
`725`	`734`	`ZT_G(zend_orig_heap) = zend_mm_get_heap();`
`726`	`735`	`zend_mm_set_heap(ZT_G(zend_test_heap));`
`727`		`- } else if (ZT_G(zend_test_heap)) {`
`728`		`- free(ZT_G(zend_test_heap));`
`729`		`- ZT_G(zend_test_heap) = NULL;`
`730`		`- zend_mm_set_heap(ZT_G(zend_orig_heap));`
	`736`	`+ } else {`
	`737`	`+ zend_test_reset_heap(ZEND_MODULE_GLOBALS_BULK(zend_test));`
`731`	`738`	`}`
`732`	`739`	`return OnUpdateBool(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);`
`733`	`740`	`}`
`@@ -1397,6 +1404,7 @@ static PHP_GINIT_FUNCTION(zend_test)`
`1397`	`1404`	`static PHP_GSHUTDOWN_FUNCTION(zend_test)`
`1398`	`1405`	`{`
`1399`	`1406`	`zend_test_observer_gshutdown(zend_test_globals);`
	`1407`	`+ zend_test_reset_heap(zend_test_globals);`
`1400`	`1408`	`}`
`1401`	`1409`
`1402`	`1410`	`PHP_MINFO_FUNCTION(zend_test)`