Zend: Fix reference counting for Closures in const-expr

TimWolla · TimWolla · commit c80c6569b3fe · 2025-02-27T16:45:56.000+01:00
Fixes php#17851
diff --git a/Zend/tests/closures/closure_const_expr/attributes.phpt b/Zend/tests/closures/closure_const_expr/attributes.phpt
@@ -8,13 +8,13 @@ reflection
 #[Attribute(Attribute::TARGET_CLASS | Attribute::IS_REPEATABLE)]
 class Attr {
     public function __construct(public Closure $value) {
-      $value('foo');
+        $value('foo');
     }
 }
 
 #[Attr(static function () { })]
 #[Attr(static function (...$args) {
-  var_dump($args);
+    var_dump($args);
 })]
 class C {}
 
diff --git a/Zend/tests/closures/closure_const_expr/attributes_autoload.inc b/Zend/tests/closures/closure_const_expr/attributes_autoload.inc
@@ -0,0 +1,9 @@
+<?php
+
+#[Attr(static function () { })]
+#[Attr(static function (...$args) {
+    var_dump($args);
+})]
+class C {}
+
+?>
diff --git a/Zend/tests/closures/closure_const_expr/attributes_autoload.phpt b/Zend/tests/closures/closure_const_expr/attributes_autoload.phpt
@@ -0,0 +1,57 @@
+--TEST--
+GH-17851: Use-after-free when instantiating autoloaded class with attribute having a Closure parameter.
+--EXTENSIONS--
+reflection
+--FILE--
+<?php
+
+spl_autoload_register(static function ($className) {
+    if ($className === 'C') {
+        require(__DIR__ . '/attributes_autoload.inc');
+    }
+});
+
+#[Attribute(Attribute::TARGET_CLASS | Attribute::IS_REPEATABLE)]
+class Attr {
+    public function __construct(public Closure $value) {
+        $value('foo');
+    }
+}
+
+foreach ((new ReflectionClass(C::class))->getAttributes() as $reflectionAttribute) {
+    var_dump($reflectionAttribute->newInstance());
+}
+
+?>
+--EXPECTF--
+object(Attr)#%d (1) {
+  ["value"]=>
+  object(Closure)#%d (3) {
+    ["name"]=>
+    string(%d) "{closure:%s:%d}"
+    ["file"]=>
+    string(%d) "%s"
+    ["line"]=>
+    int(%d)
+  }
+}
+array(1) {
+  [0]=>
+  string(3) "foo"
+}
+object(Attr)#%d (1) {
+  ["value"]=>
+  object(Closure)#%d (4) {
+    ["name"]=>
+    string(%d) "{closure:%s:%d}"
+    ["file"]=>
+    string(%d) "%s"
+    ["line"]=>
+    int(%d)
+    ["parameter"]=>
+    array(1) {
+      ["$args"]=>
+      string(10) "<optional>"
+    }
+  }
+}
diff --git a/Zend/zend_ast.c b/Zend/zend_ast.c
@@ -120,6 +120,7 @@ ZEND_API zend_ast * ZEND_FASTCALL zend_ast_create_op_array(zend_op_array *op_arr
 	ast->attr = 0;
 	ast->lineno = CG(zend_lineno);
 	ast->op_array = op_array;
+	function_add_ref((zend_function *)op_array);
 
 	return (zend_ast *) ast;
 }
@@ -1277,6 +1278,7 @@ static void* ZEND_FASTCALL zend_ast_tree_copy(zend_ast *ast, void *buf)
 		new->attr = old->attr;
 		new->lineno = old->lineno;
 		new->op_array = old->op_array;
+		function_add_ref((zend_function *)new->op_array);
 		buf = (void*)((char*)buf + sizeof(zend_ast_op_array));
 	} else if (ast->kind == ZEND_AST_CALLABLE_CONVERT) {
 		zend_ast_fcc *old = (zend_ast_fcc*)ast;
@@ -1353,7 +1355,8 @@ ZEND_API void ZEND_FASTCALL zend_ast_destroy(zend_ast *ast)
 	} else if (EXPECTED(ast->kind == ZEND_AST_CONSTANT)) {
 		zend_string_release_ex(zend_ast_get_constant_name(ast), 0);
 	} else if (EXPECTED(ast->kind == ZEND_AST_OP_ARRAY)) {
-		/* Nothing to do. */
+		zend_ast_op_array *op_array = zend_ast_get_op_array(ast);
+		destroy_op_array(op_array->op_array);
 	} else if (EXPECTED(zend_ast_is_decl(ast))) {
 		zend_ast_decl *decl = (zend_ast_decl *) ast;
 

Original file line number	Diff line number	Diff line change
`@@ -8,13 +8,13 @@ reflection`
`8`	`8`	`#[Attribute(Attribute::TARGET_CLASS \| Attribute::IS_REPEATABLE)]`
`9`	`9`	`class Attr {`
`10`	`10`	`public function __construct(public Closure $value) {`
`11`		`- $value('foo');`
	`11`	`+ $value('foo');`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`#[Attr(static function () { })]`
`16`	`16`	`#[Attr(static function (...$args) {`
`17`		`- var_dump($args);`
	`17`	`+ var_dump($args);`
`18`	`18`	`})]`
`19`	`19`	`class C {}`
`20`	`20`