Fix GH-19044: Protected properties are not scoped according to their prototype

Author: bwoebi

NEWS

@@ -11,6 +11,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-18907 (Leak when creating cycle in hook). (ilutov)
   . Fix OSS-Fuzz #427814456. (nielsdos)
   . Fix OSS-Fuzz #428983568 and #428760800. (nielsdos)
+  . Fixed bug GH-19044 (Protected properties are not scoped according to their
+    prototype). (Bob)
 
 - Curl:
   . Fix memory leaks when returning refcounted value from curl callback.

Zend/tests/gh19044.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype
+--FILE--
+<?php
+
+abstract class P {
+    protected $foo;
+}
+
+class C1 extends P {
+    protected $foo = 1;
+}
+
+class C2 extends P {
+    protected $foo = 2;
+    
+    static function foo($c) { return $c->foo; }
+}
+
+var_dump(C2::foo(new C2));
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(2)
+int(1)

Zend/tests/property_hooks/gh19044-1.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (common ancestor has a protected setter)
+--FILE--
+<?php
+
+abstract class P {
+    abstract public mixed $foo { get; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 1; set {} }
+}
+
+class GrandC1 extends C1 {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends C1 {
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new GrandC1));
+
+?>
+--EXPECT--
+int(3)

Zend/tests/property_hooks/gh19044-2.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (common ancestor does not have a setter)
+--FILE--
+<?php
+
+abstract class P {
+    abstract public mixed $foo { get; }
+}
+
+class C1 extends P {
+    public mixed $foo { get => 1; }
+}
+
+class GrandC1 extends C1 {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends C1 {
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new GrandC1));
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot modify protected(set) property GrandC1::$foo from scope C2 in %s:%d
+Stack trace:
+#0 %s(%d): C2::foo(Object(GrandC1))
+#1 {main}
+  thrown in %s on line %d

Zend/tests/property_hooks/gh19044-3.phpt

@@ -0,0 +1,24 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (abstract parent defining visibility only takes precedence)
+--FILE--
+<?php
+
+abstract class P {
+    abstract protected(set) mixed $foo { get; set; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends P {
+    public mixed $foo = 1;
+
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(3)

Zend/tests/property_hooks/gh19044-4.phpt

@@ -0,0 +1,28 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (abstract parent sets protected(set) with not having grandparent a setter - both inherit from parent)
+--FILE--
+<?php
+
+abstract class GP {
+    abstract mixed $foo { get; }
+}
+
+abstract class P extends GP {
+    abstract protected(set) mixed $foo { get; set; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends P {
+    public mixed $foo = 1;
+
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(3)

Zend/tests/property_hooks/gh19044-5.phpt

@@ -0,0 +1,32 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (abstract parent sets protected(set) with not having grandparent a setter - one inherits from grandparent)
+--FILE--
+<?php
+
+abstract class GP {
+    abstract mixed $foo { get; }
+}
+
+abstract class P extends GP {
+    abstract protected(set) mixed $foo { get; set; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends GP {
+    public mixed $foo = 1;
+
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot modify protected(set) property C1::$foo from scope C2 in %s:%d
+Stack trace:
+#0 %s(%d): C2::foo(Object(C1))
+#1 {main}
+  thrown in %s on line %d

Zend/tests/property_hooks/gh19044.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (hooks variation)
+--FILE--
+<?php
+
+abstract class P {
+    abstract protected $foo { get; }
+}
+
+class C1 extends P {
+    protected $foo = 1;
+}
+
+class C2 extends P {
+    protected $foo = 2;
+    
+    static function foo($c) { return $c->foo; }
+}
+
+var_dump(C2::foo(new C2));
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(2)
+int(1)

Zend/zend_object_handlers.c

@@ -282,7 +282,20 @@ static zend_always_inline bool is_derived_class(const zend_class_entry *child_cl
 static zend_never_inline int is_protected_compatible_scope(const zend_class_entry *ce, const zend_class_entry *scope) /* {{{ */
 {
 	return scope &&
-		(is_derived_class(ce, scope) || is_derived_class(scope, ce));
+		(ce == scope || is_derived_class(ce, scope) || is_derived_class(scope, ce));
+}
+/* }}} */
+
+static zend_never_inline int is_asymmetric_set_protected_property_compatible_scope(const zend_property_info *info, const zend_class_entry *scope) /* {{{ */
+{
+	zend_class_entry *ce;
+	if (!(info->prototype->flags & ZEND_ACC_PROTECTED_SET) && info->hooks && info->hooks[ZEND_PROPERTY_HOOK_SET]) {
+	       zend_function *hookfn = info->hooks[ZEND_PROPERTY_HOOK_SET];
+	       ce = hookfn->common.prototype ? hookfn->common.prototype->common.scope : hookfn->common.scope;
+	} else {
+	       ce = info->prototype->ce;
+	}
+	return is_protected_compatible_scope(ce, scope);
 }
 /* }}} */
 
@@ -419,7 +432,7 @@ static zend_always_inline uintptr_t zend_get_property_offset(zend_class_entry *c
 				}
 			} else {
 				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
-				if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
+				if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
 					goto wrong;
 				}
 			}
@@ -514,7 +527,7 @@ ZEND_API zend_property_info *zend_get_property_info(const zend_class_entry *ce,
 				}
 			} else {
 				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
-				if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
+				if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
 					goto wrong;
 				}
 			}
@@ -585,7 +598,7 @@ ZEND_API bool ZEND_FASTCALL zend_asymmetric_property_has_set_access(const zend_p
 		return true;
 	}
 	return EXPECTED((prop_info->flags & ZEND_ACC_PROTECTED_SET)
-		&& is_protected_compatible_scope(prop_info->ce, scope));
+		&& is_asymmetric_set_protected_property_compatible_scope(prop_info, scope));
 }
 
 static void zend_property_guard_dtor(zval *el) /* {{{ */ {
@@ -2030,7 +2043,7 @@ ZEND_API zval *zend_std_get_static_property_with_info(zend_class_entry *ce, zend
 		zend_class_entry *scope = get_fake_or_executed_scope();
 		if (property_info->ce != scope) {
 			if (UNEXPECTED(property_info->flags & ZEND_ACC_PRIVATE)
-			 || UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
+			 || UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
 				if (type != BP_VAR_IS) {
 					zend_bad_property_access(property_info, ce, property_name);
 				}