Revert "Fix GH-10168: heap-buffer-overflow at zval_undefined_cv"

This reverts commit 71ddede.

Author: iluuu1994

NEWS

@@ -10,8 +10,6 @@ PHP                                                                        NEWS
     Generator emits an unavoidable fatal error or crashes). (Arnaud)
   . Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown
     function after bailout). (trowski)
-  . Fixed bug GH-10168: use-after-free when utilizing assigned object freed
-    during assignment. (nielsdos)
   . Fixed SSA object type update for compound assignment opcodes. (nielsdos)
 
 - Curl:

Zend/tests/gh10168_1.phpt

@@ -3562,7 +3562,7 @@ static zend_always_inline void i_zval_ptr_dtor_noref(zval *zval_ptr) {
 	}
 }
 
-ZEND_API zval* zend_assign_to_typed_ref_and_result(zval *variable_ptr, zval *orig_value, zend_uchar value_type, bool strict, zval *result_variable_ptr)
+ZEND_API zval* zend_assign_to_typed_ref(zval *variable_ptr, zval *orig_value, zend_uchar value_type, bool strict)
 {
 	bool ret;
 	zval value;
@@ -3582,9 +3582,6 @@ ZEND_API zval* zend_assign_to_typed_ref_and_result(zval *variable_ptr, zval *ori
 	} else {
 		zval_ptr_dtor_nogc(&value);
 	}
-	if (result_variable_ptr) {
-		ZVAL_COPY(result_variable_ptr, variable_ptr);
-	}
 	if (value_type & (IS_VAR|IS_TMP_VAR)) {
 		if (UNEXPECTED(ref)) {
 			if (UNEXPECTED(GC_DELREF(ref) == 0)) {
@@ -3598,11 +3595,6 @@ ZEND_API zval* zend_assign_to_typed_ref_and_result(zval *variable_ptr, zval *ori
 	return variable_ptr;
 }
 
-ZEND_API zval* zend_assign_to_typed_ref(zval *variable_ptr, zval *orig_value, zend_uchar value_type, bool strict)
-{
-	return zend_assign_to_typed_ref_and_result(variable_ptr, orig_value, value_type, strict, NULL);
-}
-
 ZEND_API bool ZEND_FASTCALL zend_verify_prop_assignable_by_ref(zend_property_info *prop_info, zval *orig_val, bool strict) {
 	zval *val = orig_val;
 	if (Z_ISREF_P(val) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(val))) {

Zend/tests/gh10168_2.phpt

@@ -108,7 +108,6 @@ ZEND_API bool zend_verify_internal_return_type(zend_function *zf, zval *ret);
 ZEND_API void ZEND_FASTCALL zend_ref_add_type_source(zend_property_info_source_list *source_list, zend_property_info *prop);
 ZEND_API void ZEND_FASTCALL zend_ref_del_type_source(zend_property_info_source_list *source_list, zend_property_info *prop);
 
-ZEND_API zval* zend_assign_to_typed_ref_and_result(zval *variable_ptr, zval *orig_value, zend_uchar value_type, bool strict, zval *result_variable_ptr);
 ZEND_API zval* zend_assign_to_typed_ref(zval *variable_ptr, zval *value, zend_uchar value_type, bool strict);
 
 static zend_always_inline void zend_copy_to_variable(zval *variable_ptr, zval *value, zend_uchar value_type)
@@ -138,22 +137,12 @@ static zend_always_inline void zend_copy_to_variable(zval *variable_ptr, zval *v
 	}
 }
 
-static zend_always_inline void zend_handle_garbage_from_variable_assignment(zend_refcounted *garbage)
-{
-	if (GC_DELREF(garbage) == 0) {
-		rc_dtor_func(garbage);
-	} else { /* we need to split */
-		/* optimized version of GC_ZVAL_CHECK_POSSIBLE_ROOT(variable_ptr) */
-		if (UNEXPECTED(GC_MAY_LEAK(garbage))) {
-			gc_possible_root(garbage);
-		}
-	}
-}
-
 static zend_always_inline zval* zend_assign_to_variable(zval *variable_ptr, zval *value, zend_uchar value_type, bool strict)
 {
 	do {
 		if (UNEXPECTED(Z_REFCOUNTED_P(variable_ptr))) {
+			zend_refcounted *garbage;
+
 			if (Z_ISREF_P(variable_ptr)) {
 				if (UNEXPECTED(ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(variable_ptr)))) {
 					return zend_assign_to_typed_ref(variable_ptr, value, value_type, strict);
@@ -164,42 +153,21 @@ static zend_always_inline zval* zend_assign_to_variable(zval *variable_ptr, zval
 					break;
 				}
 			}
-			zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
+			garbage = Z_COUNTED_P(variable_ptr);
 			zend_copy_to_variable(variable_ptr, value, value_type);
-			zend_handle_garbage_from_variable_assignment(garbage);
-			return variable_ptr;
-		}
-	} while (0);
-
-	zend_copy_to_variable(variable_ptr, value, value_type);
-	return variable_ptr;
-}
-
-static zend_always_inline zval* zend_assign_to_two_variables(zval *result_variable_ptr, zval *variable_ptr, zval *value, zend_uchar value_type, bool strict)
-{
-	do {
-		if (UNEXPECTED(Z_REFCOUNTED_P(variable_ptr))) {
-			if (Z_ISREF_P(variable_ptr)) {
-				if (UNEXPECTED(ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(variable_ptr)))) {
-					variable_ptr = zend_assign_to_typed_ref_and_result(variable_ptr, value, value_type, strict, result_variable_ptr);
-					return variable_ptr;
-				}
-
-				variable_ptr = Z_REFVAL_P(variable_ptr);
-				if (EXPECTED(!Z_REFCOUNTED_P(variable_ptr))) {
-					break;
+			if (GC_DELREF(garbage) == 0) {
+				rc_dtor_func(garbage);
+			} else { /* we need to split */
+				/* optimized version of GC_ZVAL_CHECK_POSSIBLE_ROOT(variable_ptr) */
+				if (UNEXPECTED(GC_MAY_LEAK(garbage))) {
+					gc_possible_root(garbage);
 				}
 			}
-			zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
-			zend_copy_to_variable(variable_ptr, value, value_type);
-			ZVAL_COPY(result_variable_ptr, variable_ptr);
-			zend_handle_garbage_from_variable_assignment(garbage);
 			return variable_ptr;
 		}
 	} while (0);
 
 	zend_copy_to_variable(variable_ptr, value, value_type);
-	ZVAL_COPY(result_variable_ptr, variable_ptr);
 	return variable_ptr;
 }
 

Zend/tests/gh10168_3.phpt

@@ -2577,9 +2577,6 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
 					Z_ADDREF_P(value);
 				}
 			}
-			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
-				ZVAL_COPY(EX_VAR(opline->result.var), value);
-			}
 		} else {
 			dim = GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
 			if (OP2_TYPE == IS_CONST) {
@@ -2591,11 +2588,10 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
 				ZEND_VM_C_GOTO(assign_dim_error);
 			}
 			value = GET_OP_DATA_ZVAL_PTR(BP_VAR_R);
-			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
-				zend_assign_to_two_variables(EX_VAR(opline->result.var), variable_ptr, value, OP_DATA_TYPE, EX_USES_STRICT_TYPES());
-			} else {
-				zend_assign_to_variable(variable_ptr, value, OP_DATA_TYPE, EX_USES_STRICT_TYPES());
-			}
+			value = zend_assign_to_variable(variable_ptr, value, OP_DATA_TYPE, EX_USES_STRICT_TYPES());
+		}
+		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+			ZVAL_COPY(EX_VAR(opline->result.var), value);
 		}
 	} else {
 		if (EXPECTED(Z_ISREF_P(object_ptr))) {
@@ -2689,14 +2685,12 @@ ZEND_VM_HANDLER(22, ZEND_ASSIGN, VAR|CV, CONST|TMP|VAR|CV, SPEC(RETVAL))
 	value = GET_OP2_ZVAL_PTR(BP_VAR_R);
 	variable_ptr = GET_OP1_ZVAL_PTR_PTR_UNDEF(BP_VAR_W);
 
+	value = zend_assign_to_variable(variable_ptr, value, OP2_TYPE, EX_USES_STRICT_TYPES());
 	if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
-		zend_assign_to_two_variables(EX_VAR(opline->result.var), variable_ptr, value, OP2_TYPE, EX_USES_STRICT_TYPES());
-	} else {
-		zend_assign_to_variable(variable_ptr, value, OP2_TYPE, EX_USES_STRICT_TYPES());
+		ZVAL_COPY(EX_VAR(opline->result.var), value);
 	}
-
 	FREE_OP1_VAR_PTR();
-	/* zend_assign_to_(two_)variable(s)() always takes care of op2, never free it! */
+	/* zend_assign_to_variable() always takes care of op2, never free it! */
 
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
 }