Fixed bug #80173

The analysis in the bug report wasn't correct (at least not in this case -- there may still be a more general problem here), the issue was that write_property returned the original variable_ptr rather than the zend_assign_to_variable() return value, which will DEREF the variable before overwriting it.
php · Jul 2, 2021 · bdc60fa · bdc60fa
1 parent 36f5d71
commit bdc60fa
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
     the process). (Calvin Buckley)
   . Fixed bug #73630 (Built-in Weberver - overwrite $_SERVER['request_uri']).
     (cmb)
+  . Fixed bug #80173 (Using return value of zend_assign_to_variable() is not
+    safe). (Nikita)
 
 - Intl:
   . Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).

diff --git a/Zend/tests/write_property_ref_overwrite_return.phpt b/Zend/tests/write_property_ref_overwrite_return.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Using return of property assignment to reference that destroys object
+--FILE--
+<?php
+
+$a = new stdClass;
+$a->a =& $a;
+var_dump($a->a = 0);
+
+?>
+--EXPECT--
+int(0)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -849,7 +849,8 @@ ZEND_API zval *zend_std_write_property(zval *object, zval *member, zval *value,
 			}
 
 found:
-			zend_assign_to_variable(variable_ptr, value, IS_TMP_VAR, property_uses_strict_types());
+			variable_ptr = zend_assign_to_variable(
+				variable_ptr, value, IS_TMP_VAR, property_uses_strict_types());
 			goto exit;
 		}
 		if (Z_PROP_FLAG_P(variable_ptr) == IS_PROP_UNINIT) {