Merge branch 'PHP-8.5'

iluuu1994 · iluuu1994 · commit eca74941226f · 2026-01-16T18:39:09.000+01:00
* PHP-8.5:
  Fix uaf for nested finally with repeated return type check
diff --git a/Zend/tests/oss_fuzz_438780145.phpt b/Zend/tests/oss_fuzz_438780145.phpt
@@ -0,0 +1,27 @@
+--TEST--
+OSS-Fuzz #438780145: Nested finally with repeated return type check may uaf
+--FILE--
+<?php
+
+function &test(): int {
+    $x = 0;
+    try {
+        return $x;
+    } finally {
+        try {
+            return $x;
+        } finally {
+            $x = "";
+        }
+    }
+}
+
+test();
+
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: test(): Return value must be of type int, string returned in %s:%d
+Stack trace:
+#0 %s(%d): test()
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -8624,6 +8624,10 @@ ZEND_VM_HANDLER(159, ZEND_DISCARD_EXCEPTION, ANY, ANY)
 		zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);
 
 		zval_ptr_dtor(return_value);
+		/* Clear return value in case we hit both DISCARD_EXCEPTION and
+		 * zend_dispatch_try_catch_finally_helper, which will free the return
+		 * value again. See OSS-Fuzz #438780145. */
+		ZVAL_NULL(return_value);
 	}
 
 	/* cleanup delayed exception */
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

Original file line number	Diff line number	Diff line change
`@@ -8624,6 +8624,10 @@ ZEND_VM_HANDLER(159, ZEND_DISCARD_EXCEPTION, ANY, ANY)`
`8624`	`8624`	`zval *return_value = EX_VAR(EX(func)->op_array.opcodes[Z_OPLINE_NUM_P(fast_call)].op2.var);`
`8625`	`8625`
`8626`	`8626`	`zval_ptr_dtor(return_value);`
	`8627`	`+ /* Clear return value in case we hit both DISCARD_EXCEPTION and`
	`8628`	`+ * zend_dispatch_try_catch_finally_helper, which will free the return`
	`8629`	`+ * value again. See OSS-Fuzz #438780145. */`
	`8630`	`+ ZVAL_NULL(return_value);`
`8627`	`8631`	`}`
`8628`	`8632`
`8629`	`8633`	`/* cleanup delayed exception */`