Fix uouv on oom on object allocation

Initialize object.handlers to std_object_handlers on zend_objects_new. This avoids a use-after-free for objects using custom handlers that are installed after allocation, accessing the handlers on shutdown when they haven't been set yet. Fixes phpGH-11734
iluuu1994 · Jul 18, 2023 · ed70a67 · ed70a67
1 parent b0bc057
commit ed70a67
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/Zend/tests/gh11734.phpt b/Zend/tests/gh11734.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-11734: Use-of-uninitialized-value when OOM on object allocation
+--INI--
+memory_limit=2M
+--SKIPIF--
+<?php
+$zend_mm_enabled = getenv("USE_ZEND_ALLOC");
+if ($zend_mm_enabled === "0") {
+    die("skip Zend MM disabled");
+}
+?>
+--FILE--
+<?php
+$objs = [];
+while (true) {
+    $objs[] = new SplPriorityQueue;
+}
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of %d bytes exhausted at %s (tried to allocate %d bytes) in %s on line %d
diff --git a/Zend/zend_objects.c b/Zend/zend_objects.c
@@ -32,6 +32,9 @@ static zend_always_inline void _zend_object_std_init(zend_object *object, zend_c
 	GC_TYPE_INFO(object) = GC_OBJECT;
 	object->ce = ce;
 	object->properties = NULL;
+	/* Set to std_object_handlers in case there is an OOM error before any other handlers are
+	 * installed. This avoids a use-of-uninitialized-value on shutdown. */
+	object->handlers = &std_object_handlers;
 	zend_objects_store_put(object);
 	if (UNEXPECTED(ce->ce_flags & ZEND_ACC_USE_GUARDS)) {
 		ZVAL_UNDEF(object->properties_table + object->ce->default_properties_count);
@@ -186,7 +189,6 @@ ZEND_API zend_object* ZEND_FASTCALL zend_objects_new(zend_class_entry *ce)
 	zend_object *object = emalloc(sizeof(zend_object) + zend_object_properties_size(ce));
 
 	_zend_object_std_init(object, ce);
-	object->handlers = &std_object_handlers;
 	return object;
 }