Fix long-term shutdown/tick fci/fcc storage

nikic · nikic · commit fabcc9a35008 · 2021-10-11T12:19:29.000+02:00
Normally incrementing the refcount on just function_name is
sufficient. However, if the callable is of the form 'X::y' inside
an instance method, this will capture $this in fcc.object, which
also needs to be retained.

The fci_addref/fci_release helpers should likely be exported as
a general API, as we may have this problem in other places as
well.

Fixes oss-fuzz #39778.
diff --git a/Zend/tests/register_shutdown_function_refcount.phpt b/Zend/tests/register_shutdown_function_refcount.phpt
@@ -0,0 +1,17 @@
+--TEST--
+register_shutdown_function() and long-term fci storage
+--FILE--
+<?php
+class Test {
+    function register() {
+        register_shutdown_function('Test::method');
+    }
+    function method() {
+        var_dump($this);
+    }
+}
+(new Test)->register();
+?>
+--EXPECT--
+object(Test)#1 (0) {
+}
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
@@ -1665,20 +1665,36 @@ PHP_FUNCTION(forward_static_call_array)
 }
 /* }}} */
 
+static void fci_addref(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache)
+{
+	Z_TRY_ADDREF(fci->function_name);
+	if (fci_cache->object) {
+		GC_ADDREF(fci_cache->object);
+	}
+}
+
+static void fci_release(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache)
+{
+	zval_ptr_dtor(&fci->function_name);
+	if (fci_cache->object) {
+		zend_object_release(fci_cache->object);
+	}
+}
+
 void user_shutdown_function_dtor(zval *zv) /* {{{ */
 {
 	php_shutdown_function_entry *shutdown_function_entry = Z_PTR_P(zv);
 
-	zval_ptr_dtor(&shutdown_function_entry->fci.function_name);
 	zend_fcall_info_args_clear(&shutdown_function_entry->fci, true);
+	fci_release(&shutdown_function_entry->fci, &shutdown_function_entry->fci_cache);
 	efree(shutdown_function_entry);
 }
 /* }}} */
 
 void user_tick_function_dtor(user_tick_function_entry *tick_function_entry) /* {{{ */
 {
-	zval_ptr_dtor(&tick_function_entry->fci.function_name);
 	zend_fcall_info_args_clear(&tick_function_entry->fci, true);
+	fci_release(&tick_function_entry->fci, &tick_function_entry->fci_cache);
 }
 /* }}} */
 
@@ -1784,7 +1800,7 @@ PHP_FUNCTION(register_shutdown_function)
 		RETURN_THROWS();
 	}
 
-	Z_TRY_ADDREF(entry.fci.function_name);
+	fci_addref(&entry.fci, &entry.fci_cache);
 	zend_fcall_info_argp(&entry.fci, param_count, params);
 
 	status = append_user_shutdown_function(&entry);
@@ -2353,7 +2369,7 @@ PHP_FUNCTION(register_tick_function)
 	}
 
 	tick_fe.calling = false;
-	Z_TRY_ADDREF(tick_fe.fci.function_name);
+	fci_addref(&tick_fe.fci, &tick_fe.fci_cache);
 	zend_fcall_info_argp(&tick_fe.fci, param_count, params);
 
 	if (!BG(user_tick_functions)) {
