Commit 6eb3faef3bc for php.net
commit 6eb3faef3bc1df238b824630dbdcd95c27ddb2f8
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Tue Sep 16 13:39:35 2025 +0200
Fix use-of-uninitialized-value in zend_get_arg_offset_by_name()
Don't access fbc->op_array.refcount on internal function. Don't attempt to cache
ZEND_ACC_USER_ARG_INFO at all, which is only used in
zend_get_closure_invoke_method(). This may reuse arg_info from a temporary
closure, and hence caching would also be unsafe.
Also avoid populating the cache slot for variadic parameters, where the
ZEND_ACC_USER_ARG_INFO is set for the same reason.
Closes GH-19856
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 4e6339ca901..d44af38c64c 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -5072,9 +5072,9 @@ static zend_always_inline uint32_t zend_get_arg_offset_by_name(
if (EXPECTED(fbc->type == ZEND_USER_FUNCTION)
|| EXPECTED(fbc->common.fn_flags & ZEND_ACC_USER_ARG_INFO)) {
for (uint32_t i = 0; i < num_args; i++) {
- zend_arg_info *arg_info = &fbc->op_array.arg_info[i];
+ zend_arg_info *arg_info = &fbc->common.arg_info[i];
if (zend_string_equals(arg_name, arg_info->name)) {
- if (!fbc->op_array.refcount || !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)) {
+ if (fbc->type == ZEND_USER_FUNCTION && (!fbc->op_array.refcount || !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE))) {
*cache_slot = unique_id;
*(uintptr_t *)(cache_slot + 1) = i;
}
@@ -5094,7 +5094,10 @@ static zend_always_inline uint32_t zend_get_arg_offset_by_name(
}
if (fbc->common.fn_flags & ZEND_ACC_VARIADIC) {
- if (fbc->type == ZEND_INTERNAL_FUNCTION || !fbc->op_array.refcount || !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)) {
+ if ((fbc->type == ZEND_USER_FUNCTION
+ && (!fbc->op_array.refcount || !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)))
+ || (fbc->type == ZEND_INTERNAL_FUNCTION
+ && !(fbc->common.fn_flags & ZEND_ACC_USER_ARG_INFO))) {
*cache_slot = unique_id;
*(uintptr_t *)(cache_slot + 1) = fbc->common.num_args;
}