From 278194ceadc415ba1feadb912740d3372d3945c9 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Thu, 10 Oct 2024 23:07:03 +0200
Subject: [PATCH] Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release caused a UAF later
when the attribute was destroyed. This wasn't noticed earlier because
object_init_with_constructor() was only ever tested with interned
strings.
---
 Zend/tests/attributes/ossfuzz371445205.phpt | 17 +++++++++++++++++
 Zend/zend_API.c                             |  1 -
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/attributes/ossfuzz371445205.phpt

diff --git a/Zend/tests/attributes/ossfuzz371445205.phpt b/Zend/tests/attributes/ossfuzz371445205.phpt
new file mode 100644
index 0000000000000..17e4f529a2a0a
--- /dev/null
+++ b/Zend/tests/attributes/ossfuzz371445205.phpt
@@ -0,0 +1,17 @@
+--TEST--
+OSS-Fuzz #371445205 (Heap-use-after-free in attr_free)
+--FILE--
+<?php
+#[Attribute]
+class MyAttrib{}
+#[MyAttrib(notinterned:'')]
+class Test1{}
+$attr=(new ReflectionClass(Test1::class))->getAttributes()[0];
+try {
+    $attr->newInstance();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Unknown named parameter $notinterned
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 35d093ff42bfe..fd5b7c8db7966 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -1879,7 +1879,6 @@ ZEND_API zend_result object_init_with_constructor(zval *arg, zend_class_entry *c
 			zend_hash_get_current_key(named_params, &arg_name, /* num_index */ NULL);
 			ZEND_ASSERT(arg_name != NULL);
 			zend_throw_error(NULL, "Unknown named parameter $%s", ZSTR_VAL(arg_name));
-			zend_string_release(arg_name);
 			/* Do not call destructor, free object, and set arg to IS_UNDEF */
 			zend_object_store_ctor_failed(obj);
 			zval_ptr_dtor(arg);