diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2019-08-29 12:30:39 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-08-29 12:32:03 +0200 |
| commit | ed749edd477bfcc3923c086a6443aaa91192e5b7 (patch) | |
| tree | 5b36faeccd920bf27f4da49db0082113f7a84980 | |
| parent | b5572658166c4b8cbc1d332877a7a84c6e18a1c1 (diff) | |
| download | php-git-ed749edd477bfcc3923c086a6443aaa91192e5b7.tar.gz | |
Fix use-after-free of immediately invoked closure with extra args
| -rw-r--r-- | Zend/tests/closure_extra_args.phpt | 11 | ||||
| -rw-r--r-- | Zend/zend_vm_def.h | 6 | ||||
| -rw-r--r-- | Zend/zend_vm_execute.h | 6 |
3 files changed, 21 insertions, 2 deletions
diff --git a/Zend/tests/closure_extra_args.phpt b/Zend/tests/closure_extra_args.phpt new file mode 100644 index 0000000000..05712e06c6 --- /dev/null +++ b/Zend/tests/closure_extra_args.phpt @@ -0,0 +1,11 @@ +--TEST-- +Immediately invoked closure with extra args +--FILE-- +<?php + +(function() {})(new stdClass); + +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 84a3439e3b..df0a3d9812 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -2398,6 +2398,11 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY) zend_clean_and_cache_symbol_table(EX(symbol_table)); } EG(current_execute_data) = EX(prev_execute_data); + + /* Free extra args before releasing the closure, + * as that may free the op_array. */ + zend_vm_stack_free_extra_args_ex(call_info, execute_data); + if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) { zend_object *object = Z_OBJ(execute_data->This); #if 0 @@ -2413,7 +2418,6 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY) OBJ_RELEASE((zend_object*)execute_data->func->op_array.prototype); } - zend_vm_stack_free_extra_args_ex(call_info, execute_data); old_execute_data = execute_data; execute_data = EX(prev_execute_data); zend_vm_stack_free_call_frame_ex(call_info, old_execute_data); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index c111f4d893..28fc5dabe4 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -468,6 +468,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_ zend_clean_and_cache_symbol_table(EX(symbol_table)); } EG(current_execute_data) = EX(prev_execute_data); + + /* Free extra args before releasing the closure, + * as that may free the op_array. */ + zend_vm_stack_free_extra_args_ex(call_info, execute_data); + if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) { zend_object *object = Z_OBJ(execute_data->This); #if 0 @@ -483,7 +488,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_ OBJ_RELEASE((zend_object*)execute_data->func->op_array.prototype); } - zend_vm_stack_free_extra_args_ex(call_info, execute_data); old_execute_data = execute_data; execute_data = EX(prev_execute_data); zend_vm_stack_free_call_frame_ex(call_info, old_execute_data); |