Merge branch 'PHP-8.0'

nikic · nikic · commit ce3846cd873d · 2021-07-07T09:38:57.000+02:00
* PHP-8.0:
  Fix use after free on compound division by zero
diff --git a/Zend/tests/div_by_zero_compound_refcounted.phpt b/Zend/tests/div_by_zero_compound_refcounted.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Division by zero in compound assignment with refcounted operand
+--FILE--
+<?php
+$h = "1";
+$h .= "2";
+try {
+    $h /= 0;
+} catch (DivisionByZeroError $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($h);
+?>
+--EXPECT--
+Division by zero
+string(2) "12"
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -1358,7 +1358,7 @@ ZEND_API zend_result ZEND_FASTCALL div_function(zval *result, zval *op1, zval *o
 
 	ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV);
 
-	zval op1_copy, op2_copy;
+	zval result_copy, op1_copy, op2_copy;
 	if (UNEXPECTED(zendi_try_convert_scalar_to_number(op1, &op1_copy) == FAILURE)
 			|| UNEXPECTED(zendi_try_convert_scalar_to_number(op2, &op2_copy) == FAILURE)) {
 		zend_binop_error("/", op1, op2);
@@ -1368,12 +1368,12 @@ ZEND_API zend_result ZEND_FASTCALL div_function(zval *result, zval *op1, zval *o
 		return FAILURE;
 	}
 
-	if (result == op1) {
-		zval_ptr_dtor(result);
-	}
-
-	retval = div_function_base(result, &op1_copy, &op2_copy);
+	retval = div_function_base(&result_copy, &op1_copy, &op2_copy);
 	if (retval == SUCCESS) {
+		if (result == op1) {
+			zval_ptr_dtor(result);
+		}
+		ZVAL_COPY_VALUE(result, &result_copy);
 		return SUCCESS;
 	}
 
