Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit 0097ad8eb33f · 2025-03-03T08:22:55.000+01:00
* PHP-8.4: Fix GH-17938: UAF with zend_test opline observer and magic_quotes_gpc=1 (#17958)
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -697,6 +697,15 @@ void * zend_test_custom_realloc(void * ptr, size_t len ZEND_FILE_LINE_DC ZEND_FI
 	return _zend_mm_realloc(ZT_G(zend_orig_heap), ptr, len ZEND_FILE_LINE_EMPTY_CC ZEND_FILE_LINE_EMPTY_CC);
 }
 
+static void zend_test_reset_heap(zend_zend_test_globals *zend_test_globals)
+{
+	if (zend_test_globals->zend_test_heap) {
+		free(zend_test_globals->zend_test_heap);
+		zend_test_globals->zend_test_heap = NULL;
+		zend_mm_set_heap(zend_test_globals->zend_orig_heap);
+	}
+}
+
 static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)
 {
 	if (new_value == NULL) {
@@ -718,10 +727,8 @@ static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)
 		);
 		ZT_G(zend_orig_heap) = zend_mm_get_heap();
 		zend_mm_set_heap(ZT_G(zend_test_heap));
-	} else if (ZT_G(zend_test_heap))  {
-		free(ZT_G(zend_test_heap));
-		ZT_G(zend_test_heap) = NULL;
-		zend_mm_set_heap(ZT_G(zend_orig_heap));
+	} else {
+		zend_test_reset_heap(ZEND_MODULE_GLOBALS_BULK(zend_test));
 	}
 	return OnUpdateBool(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
 }
@@ -1387,6 +1394,7 @@ static PHP_GINIT_FUNCTION(zend_test)
 static PHP_GSHUTDOWN_FUNCTION(zend_test)
 {
 	zend_test_observer_gshutdown(zend_test_globals);
+	zend_test_reset_heap(zend_test_globals);
 }
 
 PHP_MINFO_FUNCTION(zend_test)

Original file line number	Diff line number	Diff line change
`@@ -697,6 +697,15 @@ void * zend_test_custom_realloc(void * ptr, size_t len ZEND_FILE_LINE_DC ZEND_FI`
`697`	`697`	`return _zend_mm_realloc(ZT_G(zend_orig_heap), ptr, len ZEND_FILE_LINE_EMPTY_CC ZEND_FILE_LINE_EMPTY_CC);`
`698`	`698`	`}`
`699`	`699`
	`700`	`+static void zend_test_reset_heap(zend_zend_test_globals *zend_test_globals)`
	`701`	`+{`
	`702`	`+ if (zend_test_globals->zend_test_heap) {`
	`703`	`+ free(zend_test_globals->zend_test_heap);`
	`704`	`+ zend_test_globals->zend_test_heap = NULL;`
	`705`	`+ zend_mm_set_heap(zend_test_globals->zend_orig_heap);`
	`706`	`+ }`
	`707`	`+}`
	`708`	`+`
`700`	`709`	`static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)`
`701`	`710`	`{`
`702`	`711`	`if (new_value == NULL) {`
`@@ -718,10 +727,8 @@ static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)`
`718`	`727`	`);`
`719`	`728`	`ZT_G(zend_orig_heap) = zend_mm_get_heap();`
`720`	`729`	`zend_mm_set_heap(ZT_G(zend_test_heap));`
`721`		`- } else if (ZT_G(zend_test_heap)) {`
`722`		`- free(ZT_G(zend_test_heap));`
`723`		`- ZT_G(zend_test_heap) = NULL;`
`724`		`- zend_mm_set_heap(ZT_G(zend_orig_heap));`
	`730`	`+ } else {`
	`731`	`+ zend_test_reset_heap(ZEND_MODULE_GLOBALS_BULK(zend_test));`
`725`	`732`	`}`
`726`	`733`	`return OnUpdateBool(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);`
`727`	`734`	`}`
`@@ -1387,6 +1394,7 @@ static PHP_GINIT_FUNCTION(zend_test)`
`1387`	`1394`	`static PHP_GSHUTDOWN_FUNCTION(zend_test)`
`1388`	`1395`	`{`
`1389`	`1396`	`zend_test_observer_gshutdown(zend_test_globals);`
	`1397`	`+ zend_test_reset_heap(zend_test_globals);`
`1390`	`1398`	`}`
`1391`	`1399`
`1392`	`1400`	`PHP_MINFO_FUNCTION(zend_test)`