Fix OSS Fuzz #60734: use-after-free visible in ASAN build

Girgias · Girgias · commit 2fbec0974fd6 · 2023-08-01T16:40:25.000+01:00
diff --git a/Zend/tests/in-de-crement/object_cannot_incdec.phpt b/Zend/tests/in-de-crement/object_cannot_incdec.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Cannot increment/decrement objects
+--FILE--
+<?php
+class Foo { }
+$o = new Foo;
+
+try {
+    $o++;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $o--;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    ++$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    --$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+?>
+--EXPECT--
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
diff --git a/Zend/tests/in-de-crement/object_cannot_incdec_use_result_op.phpt b/Zend/tests/in-de-crement/object_cannot_incdec_use_result_op.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Cannot increment/decrement objects
+--FILE--
+<?php
+class Foo { }
+$o = new Foo;
+
+try {
+    $y = $o++;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $y = $o--;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $y = ++$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $y = --$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+?>
+--EXPECT--
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
diff --git a/Zend/tests/in-de-crement/oss-fuzz-60734_predec-object.phpt b/Zend/tests/in-de-crement/oss-fuzz-60734_predec-object.phpt
@@ -0,0 +1,14 @@
+--TEST--
+OSS Fuzz #60734: use-after-free visible in ASAN build pre decrement.
+--FILE--
+<?php
+class Foo{
+}
+$test = new Foo;
+$y = --$test;
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Cannot decrement Foo in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/tests/in-de-crement/oss-fuzz-60734_preinc-object.phpt b/Zend/tests/in-de-crement/oss-fuzz-60734_preinc-object.phpt
@@ -0,0 +1,14 @@
+--TEST--
+OSS Fuzz #60734: use-after-free visible in ASAN build pre increment.
+--FILE--
+<?php
+class Foo{
+}
+$test = new Foo;
+$y = ++$test;
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Cannot increment Foo in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1501,6 +1501,10 @@ ZEND_VM_HELPER(zend_pre_inc_helper, VAR|CV, ANY)
 		}
 		increment_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);
@@ -1556,6 +1560,10 @@ ZEND_VM_HELPER(zend_pre_dec_helper, VAR|CV, ANY)
 		}
 		decrement_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

Original file line number	Diff line number	Diff line change
`@@ -1501,6 +1501,10 @@ ZEND_VM_HELPER(zend_pre_inc_helper, VAR\|CV, ANY)`
`1501`	`1501`	`}`
`1502`	`1502`	`increment_function(var_ptr);`
`1503`	`1503`	`if (UNEXPECTED(EG(exception))) {`
	`1504`	`+ /* Smart branch expects result to be set with exceptions */`
	`1505`	`+ if (UNEXPECTED(RETURN_VALUE_USED(opline))) {`
	`1506`	`+ ZVAL_NULL(EX_VAR(opline->result.var));`
	`1507`	`+ }`
`1504`	`1508`	`HANDLE_EXCEPTION();`
`1505`	`1509`	`}`
`1506`	`1510`	`} while (0);`
`@@ -1556,6 +1560,10 @@ ZEND_VM_HELPER(zend_pre_dec_helper, VAR\|CV, ANY)`
`1556`	`1560`	`}`
`1557`	`1561`	`decrement_function(var_ptr);`
`1558`	`1562`	`if (UNEXPECTED(EG(exception))) {`
	`1563`	`+ /* Smart branch expects result to be set with exceptions */`
	`1564`	`+ if (UNEXPECTED(RETURN_VALUE_USED(opline))) {`
	`1565`	`+ ZVAL_NULL(EX_VAR(opline->result.var));`
	`1566`	`+ }`
`1559`	`1567`	`HANDLE_EXCEPTION();`
`1560`	`1568`	`}`
`1561`	`1569`	`} while (0);`