Fix GH-21639: Guard frameless reentry at handler sites

Author: prateekbhujel

Zend/tests/gh21639.phpt

@@ -0,0 +1,151 @@
+--TEST--
+GH-21639: Frameless calls keep volatile arguments alive
+--FILE--
+<?php
+class ImplodeElement {
+    public function __toString(): string {
+        global $separator, $pieces;
+
+        $separator = null;
+        $pieces = null;
+
+        return "C";
+    }
+}
+
+$separator = str_repeat(",", 1) . " ";
+$pieces = [new ImplodeElement(), 42];
+
+var_dump(implode($separator, $pieces));
+var_dump($separator, $pieces);
+
+class MutatingSeparator {
+    public function __toString(): string {
+        global $piecesFromSeparator;
+
+        $piecesFromSeparator = null;
+
+        return ", ";
+    }
+}
+
+$piecesFromSeparator = ["A", "B"];
+
+var_dump(implode(new MutatingSeparator(), $piecesFromSeparator));
+var_dump($piecesFromSeparator);
+
+class ImplodeElementWithoutSeparator {
+    public function __toString(): string {
+        global $oneArgPieces;
+
+        $oneArgPieces = null;
+
+        return "D";
+    }
+}
+
+$oneArgPieces = [new ImplodeElementWithoutSeparator(), 42];
+
+var_dump(implode($oneArgPieces));
+var_dump($oneArgPieces);
+
+class InArrayNeedle {
+    public function __toString(): string {
+        global $inArrayHaystack;
+
+        $inArrayHaystack = null;
+
+        return "needle";
+    }
+}
+
+$inArrayHaystack = [new InArrayNeedle()];
+
+var_dump(in_array("needle", $inArrayHaystack));
+var_dump($inArrayHaystack);
+
+class StrtrReplacement {
+    public function __toString(): string {
+        global $strtrReplacements;
+
+        $strtrReplacements = null;
+
+        return "b";
+    }
+}
+
+$strtrReplacements = ["a" => new StrtrReplacement()];
+
+var_dump(strtr("a", $strtrReplacements));
+var_dump($strtrReplacements);
+
+class StrReplaceSubject {
+    public function __toString(): string {
+        global $strReplaceSubject;
+
+        $strReplaceSubject = null;
+
+        return "a";
+    }
+}
+
+$strReplaceSubject = [new StrReplaceSubject(), "aa"];
+
+var_dump(str_replace("a", "b", $strReplaceSubject));
+var_dump($strReplaceSubject);
+
+class MinArg {
+    public function __toString(): string {
+        global $minArg;
+
+        $minArg = null;
+
+        return "a";
+    }
+}
+
+$minArg = new MinArg();
+$minResult = min($minArg, "b");
+
+var_dump($minResult instanceof MinArg);
+var_dump($minArg);
+
+class MaxArg {
+    public function __toString(): string {
+        global $maxArg;
+
+        $maxArg = null;
+
+        return "a";
+    }
+}
+
+$maxArg = new MaxArg();
+$maxResult = max("0", $maxArg);
+
+var_dump($maxResult instanceof MaxArg);
+var_dump($maxArg);
+?>
+--EXPECT--
+string(5) "C, 42"
+NULL
+NULL
+string(4) "A, B"
+NULL
+string(3) "D42"
+NULL
+bool(true)
+NULL
+string(1) "b"
+NULL
+array(2) {
+  [0]=>
+  string(1) "b"
+  [1]=>
+  string(2) "bb"
+}
+NULL
+bool(true)
+NULL
+bool(true)
+NULL

Zend/tests/gh21639_parse_time.phpt

@@ -0,0 +1,119 @@
+--TEST--
+GH-21639: Frameless parse-time conversions keep sibling arguments alive
+--FILE--
+<?php
+class TrimInput {
+    public function __toString(): string {
+        global $trimChars;
+
+        $trimChars = null;
+
+        return "---value---";
+    }
+}
+
+$trimChars = "-";
+var_dump(trim(new TrimInput(), $trimChars));
+var_dump($trimChars);
+
+class ContainsNeedle {
+    public function __toString(): string {
+        global $containsHaystack;
+
+        $containsHaystack = null;
+
+        return "needle";
+    }
+}
+
+$containsHaystack = "needle in a haystack";
+var_dump(str_contains($containsHaystack, new ContainsNeedle()));
+var_dump($containsHaystack);
+
+class RefContainsNeedle {
+    public function __toString(): string {
+        global $refContainsHaystack;
+
+        $refContainsHaystack = null;
+
+        return "hay";
+    }
+}
+
+$refContainsHaystack = "haystack";
+$refContainsNeedleObject = new RefContainsNeedle();
+$refContainsNeedle = &$refContainsNeedleObject;
+var_dump(str_contains($refContainsHaystack, $refContainsNeedle));
+var_dump($refContainsHaystack);
+
+class SubstrInput {
+    public function __toString(): string {
+        global $substrOffset;
+
+        $substrOffset = null;
+
+        return "abcdef";
+    }
+}
+
+$substrOffset = 2;
+var_dump(substr(new SubstrInput(), $substrOffset));
+var_dump($substrOffset);
+
+class DirnameInput {
+    public function __toString(): string {
+        global $dirnameLevels;
+
+        $dirnameLevels = null;
+
+        return "/var/www/project/app";
+    }
+}
+
+$dirnameLevels = 2;
+var_dump(dirname(new DirnameInput(), $dirnameLevels));
+var_dump($dirnameLevels);
+
+class PregPattern {
+    public function __toString(): string {
+        global $pregSubject;
+
+        $pregSubject = null;
+
+        return "/foo/";
+    }
+}
+
+$pregSubject = "foobar";
+var_dump(preg_match(new PregPattern(), $pregSubject));
+var_dump($pregSubject);
+
+class PregSubject {
+    public function __toString(): string {
+        global $pregPattern;
+
+        $pregPattern = null;
+
+        return "foobar";
+    }
+}
+
+$pregPattern = "/bar/";
+var_dump(preg_match($pregPattern, new PregSubject()));
+var_dump($pregPattern);
+?>
+--EXPECT--
+string(5) "value"
+NULL
+bool(true)
+NULL
+bool(true)
+NULL
+string(4) "cdef"
+NULL
+string(8) "/var/www"
+NULL
+int(1)
+NULL
+int(1)
+NULL

Zend/zend_frameless_function.h

@@ -42,6 +42,33 @@
 #define ZEND_FRAMELESS_FUNCTION(name, arity) \
 	void ZEND_FRAMELESS_FUNCTION_NAME(name, arity)(ZEND_FRAMELESS_FUNCTION_PARAMETERS_##arity)
 
+#define Z_FLF_ARG_MAY_REENTER_STR_PARSE(arg) \
+	(Z_TYPE_P(arg) == IS_OBJECT \
+		|| (Z_TYPE_P(arg) == IS_REFERENCE && Z_TYPE_P(Z_REFVAL_P(arg)) == IS_OBJECT))
+
+#define Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(parsed_arg_num, later_arg_num, tmp, protected) do { \
+		if (UNEXPECTED(!protected && Z_FLF_ARG_MAY_REENTER_STR_PARSE(arg ## parsed_arg_num))) { \
+			ZVAL_COPY(&tmp, arg ## later_arg_num); \
+			arg ## later_arg_num = &tmp; \
+			protected = true; \
+		} \
+	} while (0)
+
+#define Z_FLF_FREE_PROTECTED_ARG(tmp, protected) do { \
+		if (UNEXPECTED(protected)) { \
+			zval_ptr_dtor(&tmp); \
+		} \
+	} while (0)
+
+#define Z_FLF_PROTECT_ARRAY_ARG_FOR_REENTRY(arg_num, ht, tmp, protected) do { \
+		if (UNEXPECTED(ht && !protected)) { \
+			ZVAL_COPY(&tmp, arg ## arg_num); \
+			arg ## arg_num = &tmp; \
+			ht = Z_ARRVAL_P(arg ## arg_num); \
+			protected = true; \
+		} \
+	} while (0)
+
 #define Z_FLF_PARAM_ZVAL(arg_num, dest) \
 	dest = arg ## arg_num;
 #define Z_FLF_PARAM_ARRAY(arg_num, dest) \

ext/pcre/php_pcre.c

@@ -1499,8 +1499,29 @@ ZEND_FRAMELESS_FUNCTION(preg_match, 2)
 {
 	zval regex_tmp, subject_tmp;
 	zend_string *regex, *subject;
+	zval arg1_copy, arg2_copy;
+	bool arg1_protected = false, arg2_protected = false;
+
+	if (EXPECTED(Z_TYPE_P(arg1) == IS_STRING && Z_TYPE_P(arg2) == IS_STRING)) {
+		/* Compile regex or get it from cache. */
+		pcre_cache_entry *pce;
+		if ((pce = pcre_get_compiled_regex_cache(Z_STR_P(arg1))) == NULL) {
+			RETVAL_FALSE;
+			return;
+		}
+
+		pce->refcount++;
+		php_pcre_match_impl(pce, Z_STR_P(arg2), return_value, /* subpats */ NULL,
+			/* global */ false, /* flags */ 0, /* start_offset */ 0);
+		pce->refcount--;
+		return;
+	}
 
+	Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(1, 2, arg2_copy, arg2_protected);
 	Z_FLF_PARAM_STR(1, regex, regex_tmp);
+	if (arg1 != &regex_tmp) {
+		Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(2, 1, arg1_copy, arg1_protected);
+	}
 	Z_FLF_PARAM_STR(2, subject, subject_tmp);
 
 	/* Compile regex or get it from cache. */
@@ -1518,6 +1539,8 @@ ZEND_FRAMELESS_FUNCTION(preg_match, 2)
 flf_clean:
 	Z_FLF_PARAM_FREE_STR(1, regex_tmp);
 	Z_FLF_PARAM_FREE_STR(2, subject_tmp);
+	Z_FLF_FREE_PROTECTED_ARG(arg2_copy, arg2_protected);
+	Z_FLF_FREE_PROTECTED_ARG(arg1_copy, arg1_protected);
 }
 
 /* {{{ Perform a Perl-style global regular expression match */
@@ -2404,11 +2427,39 @@ ZEND_FRAMELESS_FUNCTION(preg_replace, 3)
 	zend_string *regex_str, *replace_str, *subject_str;
 	HashTable *regex_ht, *replace_ht, *subject_ht;
 	zval regex_tmp, replace_tmp, subject_tmp;
+	zval arg1_copy, arg2_copy, arg3_copy;
+	bool arg1_protected = false, arg2_protected = false, arg3_protected = false;
+
+	if (EXPECTED(Z_TYPE_P(arg1) == IS_STRING && Z_TYPE_P(arg2) == IS_STRING && Z_TYPE_P(arg3) == IS_STRING)) {
+		_preg_replace_common(
+			return_value,
+			/* regex_ht */ NULL, Z_STR_P(arg1),
+			/* replace_ht */ NULL, Z_STR_P(arg2),
+			/* subject_ht */ NULL, Z_STR_P(arg3),
+			/* limit */ -1, /* zcount */ NULL, /* is_filter */ false);
+		return;
+	}
 
+	Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(1, 2, arg2_copy, arg2_protected);
+	Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(1, 3, arg3_copy, arg3_protected);
 	Z_FLF_PARAM_ARRAY_HT_OR_STR(1, regex_ht, regex_str, regex_tmp);
+	if (arg1 != &regex_tmp) {
+		Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(2, 1, arg1_copy, arg1_protected);
+	}
+	Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(2, 3, arg3_copy, arg3_protected);
 	Z_FLF_PARAM_ARRAY_HT_OR_STR(2, replace_ht, replace_str, replace_tmp);
+	if (arg1 != &regex_tmp) {
+		Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(3, 1, arg1_copy, arg1_protected);
+	}
+	if (arg2 != &replace_tmp) {
+		Z_FLF_PROTECT_LATER_ARG_FOR_STR_PARSE(3, 2, arg2_copy, arg2_protected);
+	}
 	Z_FLF_PARAM_ARRAY_HT_OR_STR(3, subject_ht, subject_str, subject_tmp);
 
+	Z_FLF_PROTECT_ARRAY_ARG_FOR_REENTRY(1, regex_ht, arg1_copy, arg1_protected);
+	Z_FLF_PROTECT_ARRAY_ARG_FOR_REENTRY(2, replace_ht, arg2_copy, arg2_protected);
+	Z_FLF_PROTECT_ARRAY_ARG_FOR_REENTRY(3, subject_ht, arg3_copy, arg3_protected);
+
 	_preg_replace_common(
 		return_value,
 		regex_ht, regex_str,
@@ -2420,6 +2471,9 @@ flf_clean:;
 	Z_FLF_PARAM_FREE_STR(1, regex_tmp);
 	Z_FLF_PARAM_FREE_STR(2, replace_tmp);
 	Z_FLF_PARAM_FREE_STR(3, subject_tmp);
+	Z_FLF_FREE_PROTECTED_ARG(arg3_copy, arg3_protected);
+	Z_FLF_FREE_PROTECTED_ARG(arg2_copy, arg2_protected);
+	Z_FLF_FREE_PROTECTED_ARG(arg1_copy, arg1_protected);
 }
 
 /* {{{ Perform Perl-style regular expression replacement using replacement callback. */