Hold onto the container after a get_property_ptr_ptr() call

Effects performed after a get_property_ptr_ptr() call may make the property
pointer invalid by freeing or reallocating its container.

The container might be the object itself, the properties ht, a proxied object,
or anything else (for internal classes).

Here we change the get_property_ptr_ptr handler so it exposes the actual
container. The caller can then increase its refcount if any operation performed
before the last access to the property could render the property invalid.

The get_property_ptr_ptr() implementation has the responsibility of ensuring
that while the container's refcount is incremented, the property pointer remains
valid.

Author: arnaud-lb

Zend/tests/gh15938-001.phpt

@@ -0,0 +1,32 @@
+--TEST--
+GH-15938 001: ASSIGN_OBJ_OP: Dynamic property may be undef by __toString(), leaking the new value
+--ENV--
+LEN=10
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class C {
+    public $a;
+}
+
+$obj = new C();
+$obj->b = str_repeat('c', (int)getenv('LEN'));
+$obj->b .= new class {
+    function __toString() {
+        global $obj;
+        unset($obj->b);
+        return str_repeat('d', (int)getenv('LEN'));
+    }
+};
+
+var_dump($obj);
+
+?>
+==DONE==
+--EXPECTF--
+object(C)#%d (1) {
+  ["a"]=>
+  NULL
+}
+==DONE==

Zend/tests/gh15938-002.phpt

@@ -0,0 +1,51 @@
+--TEST--
+GH-15938 002: ASSIGN_OBJ_OP: Properties ht may be resized by __toString(), write happens on freed buckets
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class C {
+    public $a;
+}
+
+$obj = new C();
+$obj->b = '';
+
+$obj->b .= new class {
+    function __toString() {
+        global $obj;
+        for ($i = 0; $i < 8; $i++) {
+            $obj->{$i} = 0;
+        }
+        return 'str';
+    }
+};
+
+var_dump($obj);
+
+?>
+==DONE==
+--EXPECTF--
+object(C)#%d (10) {
+  ["a"]=>
+  NULL
+  ["b"]=>
+  string(0) ""
+  ["0"]=>
+  int(0)
+  ["1"]=>
+  int(0)
+  ["2"]=>
+  int(0)
+  ["3"]=>
+  int(0)
+  ["4"]=>
+  int(0)
+  ["5"]=>
+  int(0)
+  ["6"]=>
+  int(0)
+  ["7"]=>
+  int(0)
+}
+==DONE==

Zend/tests/gh15938-003.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-15938 003: ASSIGN_OBJ_OP: Object may be freed by __toString(), write happens on freed object
+--FILE--
+<?php
+
+class C {
+    public $a;
+}
+
+$obj = new C();
+$obj->a = '';
+$obj->a .= new class {
+    function __toString() {
+        global $obj;
+        $obj = null;
+        return 'str';
+    }
+};
+
+var_dump($obj);
+
+?>
+==DONE==
+--EXPECT--
+NULL
+==DONE==

Zend/tests/gh15938-004.phpt

@@ -0,0 +1,29 @@
+--TEST--
+GH-15938 001: ASSIGN_OBJ_OP: Property ht may be freed by resetAsLazy*(), write happens on freed ht
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class C {
+    public $a;
+}
+
+$obj = new C();
+$obj->b = str_repeat('a', 10);
+$obj->b .= new class {
+    function __toString() {
+        global $obj;
+        $rc = new ReflectionClass($obj::class);
+        $rc->resetAsLazyGhost($obj, function () {});
+        return 'str';
+    }
+};
+
+var_dump($obj);
+
+?>
+==DONE==
+--EXPECTF--
+lazy ghost object(C)#%d (0) {
+}
+==DONE==

Zend/zend_execute.c

@@ -3612,7 +3612,7 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 	} else {
 		name = zval_get_tmp_string(prop_ptr, &tmp_name);
 	}
-	ptr = zobj->handlers->get_property_ptr_ptr(zobj, name, type, cache_slot);
+	ptr = zobj->handlers->get_property_ptr_ptr(zobj, name, type, cache_slot, NULL);
 	if (NULL == ptr) {
 		ptr = zobj->handlers->read_property(zobj, name, type, cache_slot, result);
 		if (ptr == result) {

Zend/zend_object_handlers.c

@@ -1378,7 +1378,7 @@ ZEND_API int zend_std_has_dimension(zend_object *object, zval *offset, int check
 }
 /* }}} */
 
-ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *name, int type, void **cache_slot) /* {{{ */
+ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *name, int type, void **cache_slot, zend_refcounted **container) /* {{{ */
 {
 	zval *retval = NULL;
 	uintptr_t property_offset;
@@ -1402,7 +1402,7 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 						return &EG(error_zval);
 					}
 
-					return zend_std_get_property_ptr_ptr(zobj, name, type, cache_slot);
+					return zend_std_get_property_ptr_ptr(zobj, name, type, cache_slot, container);
 				}
 				if (UNEXPECTED(type == BP_VAR_RW || type == BP_VAR_R)) {
 					if (prop_info) {
@@ -1440,6 +1440,9 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 				zobj->properties = zend_array_dup(zobj->properties);
 			}
 		    if (EXPECTED((retval = zend_hash_find(zobj->properties, name)) != NULL)) {
+				if (container) {
+					*container = (zend_refcounted*)zobj->properties;
+				}
 				return retval;
 		    }
 		}
@@ -1460,7 +1463,7 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 					return &EG(error_zval);
 				}
 
-				return zend_std_get_property_ptr_ptr(zobj, name, type, cache_slot);
+				return zend_std_get_property_ptr_ptr(zobj, name, type, cache_slot, container);
 			}
 			if (UNEXPECTED(!zobj->properties)) {
 				rebuild_object_properties_internal(zobj);
@@ -1474,6 +1477,9 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 		retval = &EG(error_zval);
 	}
 
+	if (container) {
+		*container = (zend_refcounted*)zobj;
+	}
 	return retval;
 }
 /* }}} */

Zend/zend_object_handlers.h

@@ -102,8 +102,11 @@ typedef void (*zend_object_write_dimension_t)(zend_object *object, zval *offset,
  *  * &EG(error_zval), if an exception has been thrown.
  *  * NULL, if acquiring a direct pointer is not possible.
  *    In this case, the VM will fall back to using read_property and write_property.
+ * If 'container' is not NULL, it is set to the actual container of the zval
+ * pointer. The pointer remains valid as long as a reference on the container is
+ * held by the caller.
  */
-typedef zval *(*zend_object_get_property_ptr_ptr_t)(zend_object *object, zend_string *member, int type, void **cache_slot);
+typedef zval *(*zend_object_get_property_ptr_ptr_t)(zend_object *object, zend_string *member, int type, void **cache_slot, zend_refcounted **container);
 
 /* Used to check if a property of the object exists */
 /* param has_set_exists:
@@ -259,7 +262,7 @@ ZEND_API HashTable *zend_get_properties_no_lazy_init(zend_object *zobj);
 ZEND_API HashTable *zend_std_get_gc(zend_object *object, zval **table, int *n);
 ZEND_API HashTable *zend_std_get_debug_info(zend_object *object, int *is_temp);
 ZEND_API zend_result zend_std_cast_object_tostring(zend_object *object, zval *writeobj, int type);
-ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *object, zend_string *member, int type, void **cache_slot);
+ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *object, zend_string *member, int type, void **cache_slot, zend_refcounted **container);
 ZEND_API zval *zend_std_read_property(zend_object *object, zend_string *member, int type, void **cache_slot, zval *rv);
 ZEND_API zval *zend_std_write_property(zend_object *object, zend_string *member, zval *value, void **cache_slot);
 ZEND_API int zend_std_has_property(zend_object *object, zend_string *member, int has_set_exists, void **cache_slot);

Zend/zend_vm_def.h

@@ -1051,14 +1051,17 @@ ZEND_VM_C_LABEL(assign_op_object):
 			}
 		}
 		cache_slot = (OP2_TYPE == IS_CONST) ? CACHE_ADDR((opline+1)->extended_value) : _cache_slot;
-		if (EXPECTED((zptr = zobj->handlers->get_property_ptr_ptr(zobj, name, BP_VAR_RW, cache_slot)) != NULL)) {
+		zend_refcounted *container;
+		if (EXPECTED((zptr = zobj->handlers->get_property_ptr_ptr(zobj, name, BP_VAR_RW, cache_slot, &container)) != NULL)) {
 			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
 				if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 					ZVAL_NULL(EX_VAR(opline->result.var));
 				}
 			} else {
 				zend_reference *ref;
 
+				GC_ADDREF(container);
+
 				do {
 					if (UNEXPECTED(Z_ISREF_P(zptr))) {
 						ref = Z_REF_P(zptr);
@@ -1081,6 +1084,8 @@ ZEND_VM_C_LABEL(assign_op_object):
 				if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 					ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 				}
+
+				GC_DTOR(container);
 			}
 		} else {
 			zend_assign_op_overloaded_property(zobj, name, cache_slot, value OPLINE_CC EXECUTE_DATA_CC);
@@ -1328,7 +1333,7 @@ ZEND_VM_C_LABEL(pre_incdec_object):
 			}
 		}
 		cache_slot = (OP2_TYPE == IS_CONST) ? CACHE_ADDR(opline->extended_value) : _cache_slot;
-		if (EXPECTED((zptr = zobj->handlers->get_property_ptr_ptr(zobj, name, BP_VAR_RW, cache_slot)) != NULL)) {
+		if (EXPECTED((zptr = zobj->handlers->get_property_ptr_ptr(zobj, name, BP_VAR_RW, cache_slot, NULL)) != NULL)) {
 			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
 				if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 					ZVAL_NULL(EX_VAR(opline->result.var));
@@ -1398,7 +1403,7 @@ ZEND_VM_C_LABEL(post_incdec_object):
 			}
 		}
 		cache_slot = (OP2_TYPE == IS_CONST) ? CACHE_ADDR(opline->extended_value) : _cache_slot;
-		if (EXPECTED((zptr = zobj->handlers->get_property_ptr_ptr(zobj, name, BP_VAR_RW, cache_slot)) != NULL)) {
+		if (EXPECTED((zptr = zobj->handlers->get_property_ptr_ptr(zobj, name, BP_VAR_RW, cache_slot, NULL)) != NULL)) {
 			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			} else {