Merge branch 'PHP-8.3' into PHP-8.4

iluuu1994 · iluuu1994 · commit 3ffb310fbd58 · 2025-04-01T16:34:33.000+02:00
* PHP-8.3:
  Use-after-free in extract() with EXTR_REFS
diff --git a/NEWS b/NEWS
@@ -6,6 +6,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-17711 and GH-18022 (Infinite recursion on deprecated attribute
     evaluation). (ilutov)
   . Fixed bug GH-18038 (Lazy proxy calls magic methods twice). (Arnaud)
+  . Fixed bug GH-18209 (Use-after-free in extract() with EXTR_REFS). (ilutov)
 
 - GD:
   . Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -1972,8 +1972,10 @@ static zend_long php_extract_ref_overwrite(zend_array *arr, zend_array *symbol_t
 			} else {
 				ZVAL_MAKE_REF_EX(entry, 2);
 			}
-			zval_ptr_dtor(orig_var);
+			zval garbage;
+			ZVAL_COPY_VALUE(&garbage, orig_var);
 			ZVAL_REF(orig_var, Z_REF_P(entry));
+			zval_ptr_dtor(&garbage);
 		} else {
 			if (Z_ISREF_P(entry)) {
 				Z_ADDREF_P(entry);
diff --git a/ext/standard/tests/gh18209.phpt b/ext/standard/tests/gh18209.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-18209: Use-after-free in extract() with EXTR_REFS
+--CREDITS--
+Noam Rathaus (nrathaus)
+--FILE--
+<?php
+
+class C {
+    public function __destruct() {
+        var_dump($GLOBALS['b']);
+        $GLOBALS['b'] = 43;
+    }
+}
+
+$b = new C;
+$array = ['b' => 42];
+extract($array, EXTR_REFS);
+var_dump($b);
+
+?>
+--EXPECT--
+int(42)
+int(43)
