heap-use-after-free in Zend/zend_types.h

[amrmp]

Description

The following code:

class A
{
    public string $prop;
}
class B
{
    public function __toString()
    {
        global $a;
        $a = null;
        return str_repeai('a'> 1);
    }
}

$a = new A();
try {
    $a->prop = new B();
} catch (Error $e) {
    echo $e->getMessage(), "\n";
}

$a = new A();
$a->prop = '';
try {
    $a->prop.= new B();
} catch (Error $e) {
    echo $e->getMessage(), "\n";
}

<?php

Resulted in this output:

SUMMARY: AddressSanitizer: heap-use-after-free  php-src/Zend/zend_types.h:670:18 in zval_get_type
Shadow bytes around the buggy address:
  0x0c0c7fffe470: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fffe480: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fffe490: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0c7fffe4a0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fffe4b0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c7fffe4c0: fd fd fd fd fd fd[fd]fa fa fa fa fa 00 00 00 00
  0x0c0c7fffe4d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fffe4e0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fffe4f0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c0c7fffe500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffe510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4110432==ABORTING

Commit:

9cd367362da5442861f30d3b41e967d641b90cbd

Build configuration:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

For your information: @vi3tL0u1s

PHP Version

PHP 8.6.0-dev (cli) (built: Nov 14 2025 10:37:56) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[amrmp]

Without USE_ZEND_ALLOC=0, the output is an assertion error in zend_execute.c/zend_binary_assign_op_typed_prop. It may also sound relevant (or a duplicate) of this old one: #10571.

[ndossche]

This is basically a variant of all the issues listed in #20001 (EDIT: err no, it's the toString one so it belongs to a slightly different but similar category), but I can't immediately find an open issue that does it exactly this way (although I've seen this before).

[ndossche]

Ah right, I found it. It belongs to this category: #20319
It's a different way of triggering it, but same root cause, so I'll close this as a duplicate.