Fix double-free of doc_comment when overriding static property via trait

iluuu1994 · iluuu1994 · commit af3d2f7ec98d · 2023-10-19T15:21:53.000+02:00
When redeclaring an overridden static property with a trait we're removing the property from the class. However, because the property itself does not belong to the class we must not free its associated data. This issue is exposed by 9a250cc in PHP 8.3+ because duplicate static properties in traits are no longer skipped, but redeclared. Fixes GH-12468
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.1.26
 
+- Core:
+  . Fixed bug GH-12468 (Double-free of doc_comment when overriding static
+    property via trait). (ilutov)
+
 - DOM:
   . Fix registerNodeClass with abstract class crashing. (nielsdos)
 
diff --git a/Zend/tests/gh12468_1.phpt b/Zend/tests/gh12468_1.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-12468: Double-free of doc_comment when overriding static property via trait
+--FILE--
+<?php
+trait T {
+	/** some doc */
+	static protected $a = 0;
+}
+class A {
+	use T;
+}
+class B extends A {
+	use T;
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/tests/gh12468_2.phpt b/Zend/tests/gh12468_2.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-12468: Double-free of doc_comment when overriding static property via trait
+--FILE--
+<?php
+trait T {
+	/** some doc */
+	static protected $a = 0;
+}
+class A {
+	/** some doc */
+	static protected $a = 0;
+}
+class B extends A {
+	use T;
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
@@ -4120,7 +4120,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		    (property_info_ptr->flags & ZEND_ACC_STATIC) != 0) {
 			property_info->offset = property_info_ptr->offset;
 			zval_ptr_dtor(&ce->default_static_members_table[property_info->offset]);
-			if (property_info_ptr->doc_comment) {
+			if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
 				zend_string_release(property_info_ptr->doc_comment);
 			}
 			zend_hash_del(&ce->properties_info, name);
@@ -4145,7 +4145,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		    (property_info_ptr->flags & ZEND_ACC_STATIC) == 0) {
 			property_info->offset = property_info_ptr->offset;
 			zval_ptr_dtor(&ce->default_properties_table[OBJ_PROP_TO_NUM(property_info->offset)]);
-			if (property_info_ptr->doc_comment) {
+			if (property_info_ptr->doc_comment && property_info_ptr->ce == ce) {
 				zend_string_release_ex(property_info_ptr->doc_comment, 1);
 			}
 			zend_hash_del(&ce->properties_info, name);
