Fixed bug #80290

Dropping the dtor arg args[3] rather than using STR_COPY: Since PHP 8, we no longer support separation in call_user_function(), so we also don't need to worry about things like arguments being replaced with references.
php · Oct 30, 2020 · 3bd3651 · 3bd3651
1 parent b133183
commit 3bd3651
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/NEWS b/NEWS
@@ -15,6 +15,8 @@ PHP                                                                        NEWS
 - Standard:
   . Don't force rebuild of symbol table, when populating $http_response_header
     variable by the HTTP stream wrapper. (Dmitry)
+  . Fixed bug #80290 (Double free when ASSERT_CALLBACK is used with a dynamic
+    message). (Nikita)
 
 29 Oct 2020, PHP 8.0.0RC3
 

diff --git a/ext/standard/assert.c b/ext/standard/assert.c
@@ -181,15 +181,11 @@ PHP_FUNCTION(assert)
 		if (description_str) {
 			ZVAL_STR(&args[3], description_str);
 			call_user_function(NULL, NULL, &ASSERTG(callback), &retval, 4, args);
-			zval_ptr_dtor(&(args[3]));
-			zval_ptr_dtor(&(args[2]));
-			zval_ptr_dtor(&(args[0]));
 		} else {
 			call_user_function(NULL, NULL, &ASSERTG(callback), &retval, 3, args);
-			zval_ptr_dtor(&(args[2]));
-			zval_ptr_dtor(&(args[0]));
 		}
 
+		zval_ptr_dtor(&args[0]);
 		zval_ptr_dtor(&retval);
 	}
 

diff --git a/ext/standard/tests/assert/bug80290.phpt b/ext/standard/tests/assert/bug80290.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #80290: Double free when ASSERT_CALLBACK is used with a dynamic message
+--FILE--
+<?php
+
+assert_options(ASSERT_CALLBACK, function($file, $line, $unused, $message) {
+    var_dump($message);
+});
+
+$x = 'x';
+assert(false, 'Dynamic message: ' . $x);
+
+?>
+--EXPECTF--
+string(18) "Dynamic message: x"
+
+Fatal error: Uncaught AssertionError: Dynamic message: x in %s:%d
+Stack trace:
+#0 %s(%d): assert(false, 'Dynamic message...')
+#1 {main}
+  thrown in %s on line %d