Fix GH-17941: Stack-use-after-return with lazy objects and hooks

nielsdos · nielsdos · commit 8f2383ad9cb8 · 2025-02-27T18:56:39.000+01:00
zend_std_write_property() can return the variable pointer, but the code
was using a local variable, and so a pointer to a local variable could
be returned. Fix this by using the value pointer instead.
This can be more efficient on master by using the safe_assign helper.
diff --git a/Zend/tests/lazy_objects/gh17941.phpt b/Zend/tests/lazy_objects/gh17941.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-17941 (Stack-use-after-return with lazy objects and hooks)
+--FILE--
+<?php
+
+class SubClass {
+    public $prop {get => $this->prop; set($x) => $this->prop = $x;}
+}
+
+$rc = new ReflectionClass(SubClass::class);
+$obj = $rc->newLazyProxy(function ($object) {
+    echo "init\n";
+    return new SubClass;
+});
+
+function foo(SubClass $x) {
+    $x->prop = 1;
+    var_dump($x->prop);
+}
+
+foo($obj);
+
+?>
+--EXPECT--
+init
+int(1)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1196,9 +1196,10 @@ lazy_init:;
 		goto exit;
 	}
 
-	variable_ptr = zend_std_write_property(zobj, name, &backup, cache_slot);
-	zval_ptr_dtor(&backup);
-	return variable_ptr;
+	/* TODO: use zend_safe_assign_to_variable_noref() on master */
+	zval_ptr_dtor(value);
+	ZVAL_COPY_VALUE(value, &backup);
+	return zend_std_write_property(zobj, name, value, cache_slot);
 }
 /* }}} */
 

Original file line number	Diff line number	Diff line change
`@@ -1196,9 +1196,10 @@ lazy_init:;`
`1196`	`1196`	`goto exit;`
`1197`	`1197`	`}`
`1198`	`1198`
`1199`		`- variable_ptr = zend_std_write_property(zobj, name, &backup, cache_slot);`
`1200`		`- zval_ptr_dtor(&backup);`
`1201`		`- return variable_ptr;`
	`1199`	`+ /* TODO: use zend_safe_assign_to_variable_noref() on master */`
	`1200`	`+ zval_ptr_dtor(value);`
	`1201`	`+ ZVAL_COPY_VALUE(value, &backup);`
	`1202`	`+ return zend_std_write_property(zobj, name, value, cache_slot);`
`1202`	`1203`	`}`
`1203`	`1204`	`/* }}} */`
`1204`	`1205`