Avoid addref/delref where possible

Author: alexandre-daubois

Zend/tests/offsets/null_offset_no_uaf.phpt

@@ -0,0 +1,17 @@
+--TEST--
+No UAF on null offset
+--FILE--
+<?php
+set_error_handler(function($errno, $errstr) {
+    global $ary;
+    $ary = null;
+    echo $errstr;
+});
+
+$ary[null] = 1;
+
+echo "\nSuccess\n";
+?>
+--EXPECTF--
+Using null as an array offset is deprecated, use an empty string instead
+Success

Zend/zend_execute.c

@@ -2631,9 +2631,7 @@ static zend_never_inline uint8_t slow_index_convert(HashTable *ht, const zval *d
 		case IS_NULL:
 			/* The array may be destroyed while throwing the notice.
 			 * Temporarily increase the refcount to detect this situation. */
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(ht);
-			}
+			GC_TRY_ADDREF(ht);
 
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
 
@@ -2718,9 +2716,7 @@ static zend_never_inline uint8_t slow_index_convert_w(HashTable *ht, const zval
 		case IS_NULL:
 			/* The array may be destroyed while throwing the notice.
 			 * Temporarily increase the refcount to detect this situation. */
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(ht);
-			}
+			GC_TRY_ADDREF(ht);
 
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
 
@@ -3226,9 +3222,7 @@ static zend_never_inline zval* ZEND_FASTCALL zend_find_array_dim_slow(HashTable
 null_undef_idx:
 		/* The array may be destroyed while throwing the notice.
 		 * Temporarily increase the refcount to detect this situation. */
-		if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-			GC_ADDREF(ht);
-		}
+		GC_TRY_ADDREF(ht);
 
 		zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
 

ext/opcache/jit/zend_jit_helpers.c

@@ -500,33 +500,16 @@ static void ZEND_FASTCALL zend_jit_fetch_dim_r_helper(zend_array *ht, zval *dim,
 			}
 			ZEND_FALLTHROUGH;
 		case IS_NULL:
-			/* The array may be destroyed while throwing the notice.
-			 * Temporarily increase the refcount to detect this situation. */
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(ht);
+			retval = zend_hash_find(ht, ZSTR_EMPTY_ALLOC());
+			if (!retval) {
+				ZVAL_NULL(result);
+			} else {
+				ZVAL_COPY_DEREF(result, retval);
 			}
-			execute_data = EG(current_execute_data);
-			opline = EX(opline);
+
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
-				zend_array_destroy(ht);
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					if (EG(exception)) {
-						ZVAL_UNDEF(EX_VAR(opline->result.var));
-					} else {
-						ZVAL_NULL(EX_VAR(opline->result.var));
-					}
-				}
-				return;
-			}
-			if (EG(exception)) {
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					ZVAL_UNDEF(EX_VAR(opline->result.var));
-				}
-				return;
-			}
-			offset_key = ZSTR_EMPTY_ALLOC();
-			goto str_index;
+
+			return;
 		case IS_DOUBLE:
 			hval = zend_dval_to_lval(Z_DVAL_P(dim));
 			if (!zend_is_long_compatible(Z_DVAL_P(dim), hval)) {
@@ -667,33 +650,16 @@ static void ZEND_FASTCALL zend_jit_fetch_dim_is_helper(zend_array *ht, zval *dim
 			}
 			ZEND_FALLTHROUGH;
 		case IS_NULL:
-			/* The array may be destroyed while throwing the notice.
-			 * Temporarily increase the refcount to detect this situation. */
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(ht);
+			retval = zend_hash_find(ht, ZSTR_EMPTY_ALLOC());
+			if (!retval) {
+				ZVAL_NULL(result);
+			} else {
+				ZVAL_COPY_DEREF(result, retval);
 			}
-			execute_data = EG(current_execute_data);
-			opline = EX(opline);
+
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
-				zend_array_destroy(ht);
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					if (EG(exception)) {
-						ZVAL_UNDEF(EX_VAR(opline->result.var));
-					} else {
-						ZVAL_NULL(EX_VAR(opline->result.var));
-					}
-				}
-				return;
-			}
-			if (EG(exception)) {
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					ZVAL_UNDEF(EX_VAR(opline->result.var));
-				}
-				return;
-			}
-			offset_key = ZSTR_EMPTY_ALLOC();
-			goto str_index;
+
+			return;
 		case IS_DOUBLE:
 			hval = zend_dval_to_lval(Z_DVAL_P(dim));
 			if (!zend_is_long_compatible(Z_DVAL_P(dim), hval)) {
@@ -820,21 +786,10 @@ static int ZEND_FASTCALL zend_jit_fetch_dim_isset_helper(zend_array *ht, zval *d
 			}
 			ZEND_FALLTHROUGH;
 		case IS_NULL:
-			/* The array may be destroyed while throwing the notice.
-			 * Temporarily increase the refcount to detect this situation. */
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(ht);
-			}
+			retval = zend_hash_find(ht, ZSTR_EMPTY_ALLOC());
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
-				zend_array_destroy(ht);
-				return 0;
-			}
-			if (EG(exception)) {
-				return 0;
-			}
-			offset_key = ZSTR_EMPTY_ALLOC();
-			goto str_index;
+
+			return Z_TYPE_P(retval) > IS_NULL;
 		case IS_DOUBLE:
 			hval = zend_dval_to_lval(Z_DVAL_P(dim));
 			if (!zend_is_long_compatible(Z_DVAL_P(dim), hval)) {
@@ -941,35 +896,10 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 			}
 			ZEND_FALLTHROUGH;
 		case IS_NULL:
-			/* The array may be destroyed while throwing the notice.
-			 * Temporarily increase the refcount to detect this situation. */
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(ht);
-			}
-			execute_data = EG(current_execute_data);
-			opline = EX(opline);
+			retval = zend_hash_find(ht, ZSTR_EMPTY_ALLOC());
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && GC_DELREF(ht) != 1) {
-				if (!GC_REFCOUNT(ht)) {
-					zend_array_destroy(ht);
-				}
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					if (EG(exception)) {
-						ZVAL_UNDEF(EX_VAR(opline->result.var));
-					} else {
-						ZVAL_NULL(EX_VAR(opline->result.var));
-					}
-				}
-				return NULL;
-			}
-			if (EG(exception)) {
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					ZVAL_UNDEF(EX_VAR(opline->result.var));
-				}
-				return NULL;
-			}
-			offset_key = ZSTR_EMPTY_ALLOC();
-			goto str_index;
+
+			return retval;
 		case IS_DOUBLE:
 			hval = zend_dval_to_lval(Z_DVAL_P(dim));
 			if (!zend_is_long_compatible(Z_DVAL_P(dim), hval)) {
@@ -1101,39 +1031,10 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
 			}
 			ZEND_FALLTHROUGH;
 		case IS_NULL:
-			/* The array may be destroyed while throwing the notice.
-			 * Temporarily increase the refcount to detect this situation. */
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
-				GC_ADDREF(ht);
-			}
-			execute_data = EG(current_execute_data);
-			opline = EX(opline);
+			retval = zend_hash_find(ht, ZSTR_EMPTY_ALLOC());
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
-			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && GC_DELREF(ht) != 1) {
-				if (!GC_REFCOUNT(ht)) {
-					zend_array_destroy(ht);
-				}
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					if (EG(exception)) {
-						ZVAL_UNDEF(EX_VAR(opline->result.var));
-					} else {
-						ZVAL_NULL(EX_VAR(opline->result.var));
-					}
-				}
-				if (opline->opcode == ZEND_ASSIGN_DIM
-				 && ((opline+1)->op1_type & (IS_VAR | IS_TMP_VAR))) {
-					zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var));
-				}
-				return NULL;
-			}
-			if (EG(exception)) {
-				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
-					ZVAL_UNDEF(EX_VAR(opline->result.var));
-				}
-				return NULL;
-			}
-			offset_key = ZSTR_EMPTY_ALLOC();
-			goto str_index;
+
+			return retval;
 		case IS_DOUBLE:
 			hval = zend_dval_to_lval(Z_DVAL_P(dim));
 			if (!zend_is_long_compatible(Z_DVAL_P(dim), hval)) {