diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2020-06-07 10:24:03 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-06-07 10:27:15 +0200 |
| commit | 68fdad82c9a3d1d1fc03975b7b91fdb940c621e0 (patch) | |
| tree | 84f4f7aef26f2ebdf6c01774f2acdc30f0d56972 | |
| parent | 06ff0e8721284f5825c6f6c4e2741d115f834806 (diff) | |
| download | php-git-68fdad82c9a3d1d1fc03975b7b91fdb940c621e0.tar.gz | |
Fix free of uninitialized memory in attributes
Fixes OSS-Fuzz #23140.
| -rw-r--r-- | Zend/tests/attributes/018_fatal_error_in_argument.phpt | 11 | ||||
| -rw-r--r-- | Zend/zend_attributes.c | 5 |
2 files changed, 16 insertions, 0 deletions
diff --git a/Zend/tests/attributes/018_fatal_error_in_argument.phpt b/Zend/tests/attributes/018_fatal_error_in_argument.phpt new file mode 100644 index 0000000000..a950c8658a --- /dev/null +++ b/Zend/tests/attributes/018_fatal_error_in_argument.phpt @@ -0,0 +1,11 @@ +--TEST-- +Don't free uninitialized memory if a fatal error occurs in an attribute argument +--FILE-- +<?php + +<<Attr(a->b::c)>> +function test() {} + +?> +--EXPECTF-- +Fatal error: Dynamic class names are not allowed in compile-time class constant references in %s on line %d diff --git a/Zend/zend_attributes.c b/Zend/zend_attributes.c index b9bd467acf..935f37e5b9 100644 --- a/Zend/zend_attributes.c +++ b/Zend/zend_attributes.c @@ -113,6 +113,11 @@ ZEND_API zend_attribute *zend_add_attribute(HashTable **attributes, zend_bool pe attr->offset = offset; attr->argc = argc; + /* Initialize arguments to avoid partial initialization in case of fatal errors. */ + for (uint32_t i = 0; i < argc; i++) { + ZVAL_UNDEF(&attr->argv[i]); + } + zend_hash_next_index_insert_ptr(*attributes, attr); return attr; |