Handle UAFs

Author: Girgias

Zend/tests/type_coercion/float_to_int/non-rep-float-as-int-extra1.phpt

@@ -0,0 +1,19 @@
+--TEST--
+Non rep float string to int conversions should not crash when modified
+--FILE--
+<?php
+set_error_handler(function ($errno, $errstr) {
+    global $b;
+    $b = null;
+    echo $errstr, "\n";
+});
+
+$a = "1.0E+" . rand(40,42);
+$b = &$a;
+var_dump($b | 1);
+
+?>
+--EXPECTF--
+non-representable float-string 1.0E+4%d was cast to int
+Implicit conversion from float-string "1.0E+4%d" to int loses precision
+int(9223372036854775807)

Zend/tests/type_coercion/float_to_int/non-rep-float-as-int-extra2.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Non rep float string to int conversions should not crash when modified
+--FILE--
+<?php
+
+set_error_handler(function ($errno, $errstr) {
+    global $ary;
+    $ary = null;
+    echo $errstr, "\n";
+});
+
+$ary = [rand()];
+unset($ary[1.0E+42]);
+
+?>
+--EXPECT--
+non-representable float 1.0E+42 was cast to int

Zend/tests/type_coercion/float_to_int/non-rep-float-as-int-extra3.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Non rep float string to int conversions should not crash when modified
+--FILE--
+<?php
+
+set_error_handler(function ($errno, $errstr) {
+    global $ary;
+    $ary = null;
+    echo $errstr, "\n";
+});
+
+$ary = [rand()];
+var_dump(isset($ary[1.0E+42]));
+
+?>
+--EXPECT--
+non-representable float 1.0E+42 was cast to int
+bool(false)

Zend/tests/type_coercion/float_to_int/non-rep-float-as-int-extra4.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Non rep float string to int conversions should not crash when modified
+--FILE--
+<?php
+
+set_error_handler(function ($errno, $errstr) {
+    global $ary;
+    $ary = null;
+    echo $errstr, "\n";
+});
+
+$ary = [rand()];
+var_dump(\array_key_exists(1.0E+42, $ary));
+
+?>
+--EXPECT--
+non-representable float 1.0E+42 was cast to int
+bool(false)

Zend/zend_execute.c

@@ -3241,7 +3241,17 @@ static zend_never_inline zval* ZEND_FASTCALL zend_find_array_dim_slow(HashTable
 	zend_ulong hval;
 
 	if (Z_TYPE_P(offset) == IS_DOUBLE) {
+		/* The array may be destroyed while throwing a warning in case the float is not representable as an int.
+		 * Temporarily increase the refcount to detect this situation. */
+		GC_TRY_ADDREF(ht);
 		hval = zend_dval_to_lval_safe(Z_DVAL_P(offset));
+		if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
+			zend_array_destroy(ht);
+			return NULL;
+		}
+		if (EG(exception)) {
+			return NULL;
+		}
 num_idx:
 		return zend_hash_index_find(ht, hval);
 	} else if (Z_TYPE_P(offset) == IS_NULL) {
@@ -3380,7 +3390,17 @@ static zend_never_inline bool ZEND_FASTCALL zend_array_key_exists_fast(HashTable
 		key = Z_REFVAL_P(key);
 		goto try_again;
 	} else if (Z_TYPE_P(key) == IS_DOUBLE) {
+		/* The array may be destroyed while throwing a warning in case the float is not representable as an int.
+		 * Temporarily increase the refcount to detect this situation. */
+		GC_TRY_ADDREF(ht);
 		hval = zend_dval_to_lval_safe(Z_DVAL_P(key));
+		if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
+			zend_array_destroy(ht);
+			return false;
+		}
+		if (EG(exception)) {
+			return false;
+		}
 		goto num_key;
 	} else if (Z_TYPE_P(key) == IS_FALSE) {
 		hval = 0;

Zend/zend_operators.c

@@ -415,6 +415,8 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 					zend_error(E_WARNING, "A non-numeric value encountered");
 					if (UNEXPECTED(EG(exception))) {
 						*failed = 1;
+						zend_tmp_string_release(op_str);
+						return 0;
 					}
 				}
 				if (EXPECTED(type == IS_LONG)) {
@@ -425,14 +427,18 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 					 * We use use saturating conversion to emulate strtol()'s
 					 * behaviour.
 					 */
+					if (op_str == NULL) {
+						/* zend_dval_to_lval_cap() can emit a warning so always do the copy here */
+						op_str = zend_string_copy(Z_STR_P(op));
+					}
 					lval = zend_dval_to_lval_cap(dval);
 					if (!zend_is_long_compatible(dval, lval)) {
-						zend_incompatible_string_to_long_error(op_str ? op_str : Z_STR_P(op));
+						zend_incompatible_string_to_long_error(op_str);
 						if (UNEXPECTED(EG(exception))) {
 							*failed = 1;
 						}
 					}
-					zend_tmp_string_release(op_str);
+					zend_string_release(op_str);
 					return lval;
 				}
 			}

Zend/zend_vm_def.h

@@ -6751,7 +6751,17 @@ ZEND_VM_C_LABEL(num_index_dim):
 				offset = Z_REFVAL_P(offset);
 				ZEND_VM_C_GOTO(offset_again);
 			} else if (Z_TYPE_P(offset) == IS_DOUBLE) {
+				/* The array may be destroyed while throwing a warning in case the float is not representable as an int.
+				 * Temporarily increase the refcount to detect this situation. */
+				GC_TRY_ADDREF(ht);
 				hval = zend_dval_to_lval_safe(Z_DVAL_P(offset));
+				if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
+					zend_array_destroy(ht);
+					break;
+				}
+				if (EG(exception)) {
+					break;
+				}
 				ZEND_VM_C_GOTO(num_index_dim);
 			} else if (Z_TYPE_P(offset) == IS_NULL) {
 				key = ZSTR_EMPTY_ALLOC();