Use-after-free in extract() with EXTR_REFS

iluuu1994 · iluuu1994 · commit a21065e6ebd4 · 2025-04-01T16:33:30.000+02:00
Fixes GH-18209 Closes GH-18211
diff --git a/NEWS b/NEWS
@@ -9,6 +9,7 @@ PHP                                                                        NEWS
 - Standard:
   . Fixed bug GH-18145 (php8ts crashes in php_clear_stat_cache()).
     (Jakub Zelenka)
+  . Fixed bug GH-18209 (Use-after-free in extract() with EXTR_REFS). (ilutov)
 
 10 Apr 2025, PHP 8.3.20
 
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -1863,8 +1863,10 @@ static zend_long php_extract_ref_overwrite(zend_array *arr, zend_array *symbol_t
 			} else {
 				ZVAL_MAKE_REF_EX(entry, 2);
 			}
-			zval_ptr_dtor(orig_var);
+			zval garbage;
+			ZVAL_COPY_VALUE(&garbage, orig_var);
 			ZVAL_REF(orig_var, Z_REF_P(entry));
+			zval_ptr_dtor(&garbage);
 		} else {
 			if (Z_ISREF_P(entry)) {
 				Z_ADDREF_P(entry);
diff --git a/ext/standard/tests/gh18209.phpt b/ext/standard/tests/gh18209.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-18209: Use-after-free in extract() with EXTR_REFS
+--CREDITS--
+Noam Rathaus (nrathaus)
+--FILE--
+<?php
+
+class C {
+    public function __destruct() {
+        var_dump($GLOBALS['b']);
+        $GLOBALS['b'] = 43;
+    }
+}
+
+$b = new C;
+$array = ['b' => 42];
+extract($array, EXTR_REFS);
+var_dump($b);
+
+?>
+--EXPECT--
+int(42)
+int(43)
