Fix leak when creating cycle in hook

iluuu1994 · iluuu1994 · commit fe504d33571f · 2025-06-23T17:48:07.000+02:00
This is necessary because the VM frees operands with the nogc variants. We cannot just call gc_possible_root() because the object may no longer exist at that point. Fixes GH-18907 Closes GH-18917
diff --git a/NEWS b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
     order). (Daniil Gentili)
+  . Fixed bug GH-18907 (Leak when creating cycle in hook). (ilutov)
 
 - Curl:
   . Fix memory leaks when returning refcounted value from curl callback.
diff --git a/Zend/tests/gh18907.phpt b/Zend/tests/gh18907.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-18907: Leak when creating cycle inside hook
+--FILE--
+<?php
+
+class Foo {
+    public $prop {
+        get {
+            $this->prop = $this;
+            return 1;
+        }
+    }
+}
+
+function test() {
+    var_dump((new Foo)->prop);
+}
+
+/* Call twice to test the ZEND_IS_PROPERTY_HOOK_SIMPLE_GET() path. */
+test();
+test();
+
+?>
+--EXPECT--
+int(1)
+int(1)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -719,7 +719,9 @@ static bool zend_call_get_hook(
 		return false;
 	}
 
+	GC_ADDREF(zobj);
 	zend_call_known_instance_method_with_0_params(get, zobj, rv);
+	OBJ_RELEASE(zobj);
 
 	return true;
 }

Original file line number	Diff line number	Diff line change
`@@ -719,7 +719,9 @@ static bool zend_call_get_hook(`
`719`	`719`	`return false;`
`720`	`720`	`}`
`721`	`721`
	`722`	`+ GC_ADDREF(zobj);`
`722`	`723`	`zend_call_known_instance_method_with_0_params(get, zobj, rv);`
	`724`	`+ OBJ_RELEASE(zobj);`
`723`	`725`
`724`	`726`	`return true;`
`725`	`727`	`}`