From a804d1c615774587bae351cb78c489cf61545dc8 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 7 Aug 2024 18:06:58 +0200 Subject: [PATCH] Fix GH-15268: heap buffer overflow in phpdbg (zend_hash_num_elements() Zend/zend_hash.h) The class is not yet linked, so we cannot access `parent`, but only `parent_name`. --- sapi/phpdbg/phpdbg_info.c | 15 +++++++++------ sapi/phpdbg/tests/gh15268.phpt | 25 +++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 sapi/phpdbg/tests/gh15268.phpt diff --git a/sapi/phpdbg/phpdbg_info.c b/sapi/phpdbg/phpdbg_info.c index 0a1e7570a493c..b6c48d548f1f0 100644 --- a/sapi/phpdbg/phpdbg_info.c +++ b/sapi/phpdbg/phpdbg_info.c @@ -403,12 +403,15 @@ PHPDBG_INFO(classes) /* {{{ */ phpdbg_print_class_name(ce); if (ce->parent) { - zend_class_entry *pce; - pce = ce->parent; - do { - phpdbg_out("|-------- "); - phpdbg_print_class_name(pce); - } while ((pce = pce->parent)); + if (ce->ce_flags & ZEND_ACC_LINKED) { + zend_class_entry *pce = ce->parent; + do { + phpdbg_out("|-------- "); + phpdbg_print_class_name(pce); + } while ((pce = pce->parent)); + } else { + phpdbg_writeln("|-------- User Class %s (not yet linked because declaration for parent was not encountered when declaring the class)", ZSTR_VAL(ce->parent_name)); + } } if (ce->info.user.filename) { diff --git a/sapi/phpdbg/tests/gh15268.phpt b/sapi/phpdbg/tests/gh15268.phpt new file mode 100644 index 0000000000000..1afd29fb34668 --- /dev/null +++ b/sapi/phpdbg/tests/gh15268.phpt @@ -0,0 +1,25 @@ +--TEST-- +GH-15268 (heap buffer overflow in phpdbg (zend_hash_num_elements() Zend/zend_hash.h)) +--SKIPIF-- + +--FILE-- + +--PHPDBG-- +i classes +q +--EXPECTF-- +[Successful compilation of %s] +prompt> [User Classes (2)] +User Class B (0) +|-------- User Class A (not yet linked because declaration for parent was not encountered when declaring the class) +|---- in %s on line %d +User Class A (0) +|---- in %s on line %d +prompt>