Fix use-after-free of object through __isset() and globals

iluuu1994 · iluuu1994 · commit 6c2e97b466ce · 2025-06-23T18:19:03.000+02:00
Fixes GH-18845
diff --git a/Zend/tests/gh18845.phpt b/Zend/tests/gh18845.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-18845: Use-after-free of object through __isset() and globals
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class C {
+    public $dummy;
+    public function __isset($x) {
+        $GLOBALS['c'] = null;
+        return true;
+    }
+}
+
+$c = new C;
+var_dump($c->prop ?? 1);
+
+$r = new ReflectionClass(C::class);
+$c = $r->newLazyProxy(function () {
+    throw new Exception('Not reached');
+});
+var_dump($c->prop ?? 1);
+
+?>
+--EXPECT--
+int(1)
+int(1)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -905,7 +905,13 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 			if (zobj->ce->__get && !((*guard) & IN_GET)) {
 				goto call_getter;
 			}
+
+			bool obj_is_freed = GC_REFCOUNT(zobj) == 1;
 			OBJ_RELEASE(zobj);
+			if (UNEXPECTED(obj_is_freed)) {
+				retval = &EG(uninitialized_zval);
+				goto exit;
+			}
 		} else if (zobj->ce->__get && !((*guard) & IN_GET)) {
 			goto call_getter_addref;
 		}

Original file line number	Diff line number	Diff line change
`@@ -905,7 +905,13 @@ ZEND_API zval zend_std_read_property(zend_object zobj, zend_string *name, int`
`905`	`905`	`if (zobj->ce->__get && !((*guard) & IN_GET)) {`
`906`	`906`	`goto call_getter;`
`907`	`907`	`}`
	`908`	`+`
	`909`	`+ bool obj_is_freed = GC_REFCOUNT(zobj) == 1;`
`908`	`910`	`OBJ_RELEASE(zobj);`
	`911`	`+ if (UNEXPECTED(obj_is_freed)) {`
	`912`	`+ retval = &EG(uninitialized_zval);`
	`913`	`+ goto exit;`
	`914`	`+ }`
`909`	`915`	`} else if (zobj->ce->__get && !((*guard) & IN_GET)) {`
`910`	`916`	`goto call_getter_addref;`
`911`	`917`	`}`