Merge branch 'PHP-8.2' into PHP-8.3

nielsdos · nielsdos · commit 6a632a2d6029 · 2024-11-18T19:59:01.000+01:00
* PHP-8.2: Fix GH-16630: UAF in lexer with encoding translation and heredocs
diff --git a/NEWS b/NEWS
@@ -12,6 +12,8 @@ PHP                                                                        NEWS
     (frankenphp)). (nielsdos)
   . Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
     (nielsdos)
+  . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
+    (nielsdos)
 
 - Curl:
   . Fixed bug GH-16802 (open_basedir bypass using curl extension). (nielsdos)
diff --git a/Zend/tests/gh16630.phpt b/Zend/tests/gh16630.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-16630 (UAF in lexer with encoding translation and heredocs)
+--EXTENSIONS--
+mbstring
+--INI--
+zend.multibyte=On
+zend.script_encoding=ISO-8859-1
+internal_encoding=EUC-JP
+--FILE--
+<?php
+$data3 = <<<CODE
+heredoc
+text
+CODE;
+echo $data3;
+?>
+--EXPECT--
+heredoc
+text
diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
@@ -275,7 +275,7 @@ ZEND_API void zend_restore_lexical_state(zend_lex_state *lex_state)
 	CG(zend_lineno) = lex_state->lineno;
 	zend_restore_compiled_filename(lex_state->filename);
 
-	if (SCNG(script_filtered)) {
+	if (SCNG(script_filtered) && SCNG(script_filtered) != lex_state->script_filtered) {
 		efree(SCNG(script_filtered));
 		SCNG(script_filtered) = NULL;
 	}

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,7 @@ ZEND_API void zend_restore_lexical_state(zend_lex_state *lex_state)`
`275`	`275`	`CG(zend_lineno) = lex_state->lineno;`
`276`	`276`	`zend_restore_compiled_filename(lex_state->filename);`
`277`	`277`
`278`		`- if (SCNG(script_filtered)) {`
	`278`	`+ if (SCNG(script_filtered) && SCNG(script_filtered) != lex_state->script_filtered) {`
`279`	`279`	`efree(SCNG(script_filtered));`
`280`	`280`	`SCNG(script_filtered) = NULL;`
`281`	`281`	`}`