Merge branch 'PHP-8.3' into PHP-8.4

nielsdos · nielsdos · commit 3026e88b0cd8 · 2025-09-11T19:36:29.000+02:00
* PHP-8.3: Fix phpGH-19792: SCCP causes UAF for return value if both warning and exception are triggered
diff --git a/NEWS b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-19765 (object_properties_load() bypasses readonly property
     checks). (timwolla)
   . Fixed hard_timeout with --enable-zend-max-execution-timers. (Appla)
+  . Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and
+    exception are triggered). (nielsdos)
 
 - Opcache:
   . Fixed bug GH-19669 (assertion failure in zend_jit_trace_type_to_info_ex).
diff --git a/Zend/Optimizer/sccp.c b/Zend/Optimizer/sccp.c
@@ -838,9 +838,7 @@ static inline zend_result ct_eval_func_call_ex(
 		zval_ptr_dtor(result);
 		zend_clear_exception();
 		retval = FAILURE;
-	}
-
-	if (EG(capture_warnings_during_sccp) > 1) {
+	} else if (EG(capture_warnings_during_sccp) > 1) {
 		zval_ptr_dtor(result);
 		retval = FAILURE;
 	}
diff --git a/ext/opcache/tests/opt/gh19792.phpt b/ext/opcache/tests/opt/gh19792.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered)
+--EXTENSIONS--
+opcache
+zend_test
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+
+function foo()
+{
+    return \zend_test_gh19792();
+}
+
+try {
+    foo();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Warning: a warning in %s on line %d
+an exception
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -1588,3 +1588,12 @@ static PHP_FUNCTION(zend_test_gh18756)
 	zend_mm_gc(heap);
 	zend_mm_shutdown(heap, true, false);
 }
+
+static PHP_FUNCTION(zend_test_gh19792)
+{
+	ZEND_PARSE_PARAMETERS_NONE();
+
+	RETVAL_STRING("this is a non-interned string");
+	zend_error(E_WARNING, "a warning");
+	zend_throw_error(NULL, "an exception");
+}
diff --git a/ext/zend_test/test.stub.php b/ext/zend_test/test.stub.php
@@ -318,6 +318,9 @@ function zend_test_is_zend_ptr(int $addr): bool {}
     function zend_test_log_err_debug(string $str): void {}
 
     function zend_test_gh18756(): void {}
+
+    /** @compile-time-eval */
+    function zend_test_gh19792(): void {}
 }
 
 namespace ZendTestNS {
diff --git a/ext/zend_test/test_arginfo.h b/ext/zend_test/test_arginfo.h

Original file line number	Diff line number	Diff line change
`@@ -318,6 +318,9 @@ function zend_test_is_zend_ptr(int $addr): bool {}`
`318`	`318`	`function zend_test_log_err_debug(string $str): void {}`
`319`	`319`
`320`	`320`	`function zend_test_gh18756(): void {}`
	`321`	`+`
	`322`	`+ /** @compile-time-eval */`
	`323`	`+ function zend_test_gh19792(): void {}`
`321`	`324`	`}`
`322`	`325`
`323`	`326`	`namespace ZendTestNS {`