Fix phpGH-18033: NULL-ptr dereference when using register_tick_function in destructor

ndossche · ndossche · commit 867ed156f754 · 2025-03-15T00:32:10.000+01:00
The problem is that `php_request_shutdown` calls `php_deactivate_ticks` prior to running destructors and the shutdown functions and finalizing output handlers. So if a destructor or shutdown function re-registers a tick function, then the user tick functions handler will be added back to `PG(tick_functions)`. When the next request happens, the list `PG(tick_functions)` still contains an entry to call the user tick functions (added in the previous request during shutdown). This causes a NULL deref eventually because `run_user_tick_functions` assumes that if it is called then `BG(user_tick_functions)` must be non-NULL. Fix this by moving the tick handler deactivation. Closes phpGH-18047.
diff --git a/NEWS b/NEWS
@@ -33,6 +33,8 @@ PHP                                                                        NEWS
     zend.exception_string_param_max_len=0. (timwolla)
   . Fixed bug GH-17959 (Relax missing trait fatal error to error exception).
     (ilutov)
+  . Fixed bug GH-18033 (NULL-ptr dereference when using register_tick_function
+    in destructor). (nielsdos)
 
 - Curl:
   . Added curl_multi_get_handles(). (timwolla)
diff --git a/UPGRADING b/UPGRADING
@@ -38,6 +38,9 @@ PHP 8.5 UPGRADE NOTES
     resources that were indirectly collected through cycles.
   . It is now allowed to substitute static with self or the concrete class name
     in final subclasses.
+  . The tick handlers are now deactivated after all shutdown functions, destructors
+    have run and the output handlers have been cleaned up.
+    This is a consequence of fixing GH-18033.
 
 - Intl:
   . The extension now requires at least ICU 57.1.
diff --git a/Zend/tests/declare/gh18033_1.phpt b/Zend/tests/declare/gh18033_1.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-18033 (NULL-ptr dereference when using register_tick_function in destructor)
+--DESCRIPTION--
+Needs --repeat 2 or something similar to reproduce
+--CREDITS--
+clesmian
+--FILE--
+<?php
+class Foo {
+  function __destruct() {
+    declare(ticks=1);
+    register_tick_function(
+       function() { }
+    );
+    echo "In destructor\n";
+  }
+}
+
+$bar = new Foo;
+echo "Done\n";
+?>
+--EXPECT--
+Done
+In destructor
diff --git a/Zend/tests/declare/gh18033_2.phpt b/Zend/tests/declare/gh18033_2.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-18033 (NULL-ptr dereference when using register_tick_function in ob_start)
+--DESCRIPTION--
+Needs --repeat 2 or something similar to reproduce
+--CREDITS--
+clesmian
+--FILE--
+<?php
+ob_start(function() {
+    declare(ticks=1);
+    register_tick_function(
+       function() { }
+    );
+});
+?>
+--EXPECT--
diff --git a/main/main.c b/main/main.c
@@ -1904,8 +1904,6 @@ void php_request_shutdown(void *dummy)
 	 */
 	EG(current_execute_data) = NULL;
 
-	php_deactivate_ticks();
-
 	/* 0. Call any open observer end handlers that are still open after a zend_bailout */
 	if (ZEND_OBSERVER_ENABLED) {
 		zend_observer_fcall_end_all();
@@ -1926,6 +1924,8 @@ void php_request_shutdown(void *dummy)
 		php_output_end_all();
 	} zend_end_try();
 
+	php_deactivate_ticks();
+
 	/* 4. Reset max_execution_time (no longer executing php code after response sent) */
 	zend_try {
 		zend_unset_timeout();
