Side effects during ASSIGN_OP / ASSIGN_DIM_OP may invalidate lvalue #20319
Description
Description
The following code:
$b = ['test'];
var_dump($b[0] .= new class {
function __toString() {
unset($GLOBALS['b']);
return str_repeat('d', (int)getenv('LEN'));
}
});
var_dump($b);Results in this output:
==2173273==ERROR: AddressSanitizer: heap-use-after-free on address 0x7c436bfe5261 at pc 0x0000023abcc2 bp 0x7ffe22ebdb60 sp 0x7ffe22ebdb58
READ of size 1 at 0x7c436bfe5261 thread T0
#0 0x0000023abcc1 in i_zval_ptr_dtor Zend/zend_variables.h:42
#1 0x0000023cbc5b in concat_function Zend/zend_operators.c:2129
#2 0x000001ea9203 in zend_binary_op Zend/zend_execute.c:1636
#3 0x000002111390 in ZEND_ASSIGN_DIM_OP_SPEC_CV_CONST_HANDLER Zend/zend_vm_execute.h:43544
#4 0x0000021c43b8 in execute_ex Zend/zend_vm_execute.h:120429
#5 0x0000021c9a6a in zend_execute Zend/zend_vm_execute.h:121476
#6 0x00000243eab2 in zend_execute_script Zend/zend.c:1977
#7 0x0000019954ff in php_execute_script_ex main/main.c:2640
#8 0x000001995a29 in php_execute_script main/main.c:2680
#9 0x000002447197 in do_cli sapi/cli/php_cli.c:951
#10 0x00000244aacd in main sapi/cli/php_cli.c:1362
#11 0x7f736d211574 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7f736d211627 in __libc_start_main_impl ../csu/libc-start.c:360
#13 0x000000402eb4 in _start (sapi/cli/php+0x402eb4) (BuildId: 03d6188d60a93d7775820c05b41e8f2c6a7eb2e8)
Because the container is released during the assignment.
Similarly, the following code:
$b = &$c;
var_dump($b .= new class {
function __toString() {
unset($GLOBALS['b'], $GLOBALS['c']);
return str_repeat('d', (int)getenv('LEN'));
}
});
var_dump($b);Resulted in this output:
==2172854==ERROR: AddressSanitizer: heap-use-after-free on address 0x7b90747f8561 at pc 0x0000023abcc2 bp 0x7fff7725b940 sp 0x7fff7725b938
READ of size 1 at 0x7b90747f8561 thread T0
#0 0x0000023abcc1 in i_zval_ptr_dtor Zend/zend_variables.h:42
#1 0x0000023cb030 in concat_function Zend/zend_operators.c:2085
#2 0x000001ea9203 in zend_binary_op Zend/zend_execute.c:1636
#3 0x00000214c3ba in ZEND_ASSIGN_OP_SPEC_CV_TMPVAR_HANDLER Zend/zend_vm_execute.h:47698
#4 0x0000021c5cfa in execute_ex Zend/zend_vm_execute.h:120734
#5 0x0000021c9a6a in zend_execute Zend/zend_vm_execute.h:121476
#6 0x00000243eab2 in zend_execute_script Zend/zend.c:1977
#7 0x0000019954ff in php_execute_script_ex main/main.c:2640
#8 0x000001995a29 in php_execute_script main/main.c:2680
#9 0x000002447197 in do_cli sapi/cli/php_cli.c:951
#10 0x00000244aacd in main sapi/cli/php_cli.c:1362
#11 0x7f6075a11574 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7f6075a11627 in __libc_start_main_impl ../csu/libc-start.c:360
#13 0x000000402eb4 in _start (sapi/cli/php+0x402eb4) (BuildId: 03d6188d60a93d7775820c05b41e8f2c6a7eb2e8)
Because the reference is freed during the assignment.
PHP Version
PHP 8.3
Operating System
No response