Fix #81992: SplFixedArray::setSize() causes use-after-free

nielsdos · bon · commit 0300bfa1e98b · 2023-08-16T22:26:31.000+02:00
Upon resizing, the elements are destroyed from lower index to higher index. When an element refers to an object with a destructor, it can refer to a lower (i.e. already destroyed) element, causing a uaf. Set refcounted zvals to NULL after destroying them to avoid a uaf. Closes phpGH-11959.
diff --git a/ext/spl/tests/bug81992.phpt b/ext/spl/tests/bug81992.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #81992 (SplFixedArray::setSize() causes use-after-free)
+--FILE--
+<?php
+class InvalidDestructor {
+    public function __destruct() {
+        global $obj;
+        var_dump($obj[0]);
+        try {
+            var_dump($obj[2]);
+        } catch (Throwable $e) {
+            echo $e->getMessage(), "\n";
+        }
+        try {
+            var_dump($obj[4]);
+        } catch (Throwable $e) {
+            echo $e->getMessage(), "\n";
+        }
+    }
+}
+
+$obj = new SplFixedArray(5);
+$obj[0] = str_repeat("A", 10);
+$obj[2] = str_repeat('B', 10);
+$obj[3] = new InvalidDestructor();
+$obj[4] = str_repeat('C', 10);
+$obj->setSize(2);
+?>
+--EXPECT--
+string(10) "AAAAAAAAAA"
+Index invalid or out of range
+Index invalid or out of range
diff --git a/ext/spl/tests/bug81992b.phpt b/ext/spl/tests/bug81992b.phpt
@@ -0,0 +1,66 @@
+--TEST--
+Bug #81992 (SplFixedArray::setSize() causes use-after-free) - setSize variation
+--FILE--
+<?php
+class InvalidDestructor {
+    public function __construct(
+        private int $desiredSize,
+        private SplFixedArray $obj,
+    ) {}
+
+    public function __destruct() {
+        echo "In destructor\n";
+        $this->obj->setSize($this->desiredSize);
+        echo "Destroyed, size is now still ", $this->obj->getSize(), "\n";
+    }
+}
+
+class DestructorLogger {
+    public function __construct(private int $id) {}
+
+    public function __destruct() {
+        echo "Destroyed the logger with id ", $this->id, "\n";
+    }
+}
+
+function test(int $desiredSize) {
+    $obj = new SplFixedArray(5);
+    $obj[0] = str_repeat("A", 10);
+    $obj[1] = new DestructorLogger(1);
+    $obj[2] = str_repeat('B', 10);
+    $obj[3] = new InvalidDestructor($desiredSize, $obj);
+    $obj[4] = new DestructorLogger(4);
+    $obj->setSize(2);
+    echo "Size is now ", $obj->getSize(), "\n";
+    echo "Done\n";
+}
+
+echo "--- Smaller size test ---\n";
+test(1);
+echo "--- Equal size test ---\n";
+test(2);
+echo "--- Larger size test ---\n";
+test(10);
+?>
+--EXPECT--
+--- Smaller size test ---
+In destructor
+Destroyed, size is now still 2
+Destroyed the logger with id 4
+Destroyed the logger with id 1
+Size is now 1
+Done
+--- Equal size test ---
+In destructor
+Destroyed, size is now still 2
+Destroyed the logger with id 4
+Size is now 2
+Done
+Destroyed the logger with id 1
+--- Larger size test ---
+In destructor
+Destroyed, size is now still 2
+Destroyed the logger with id 4
+Size is now 10
+Done
+Destroyed the logger with id 1
