Fix GH-22060 and GH-22122: pin object/closure in callback dispatch

iliaal · iliaal · commit 02a264f7af51 · 2026-05-24T21:23:58.000-04:00
Pin object and closure across zend_call_known_fcc and spl_perform_autoload so a callback that releases the borrowed FCC (autoloader self-unregister, SQLite3 setAuthorizer(null)) doesn't free $this mid-call. Initialize fcc.closure in ReflectionFunction::invoke/invokeArgs since the pin reads it. Fixes GH-22060 Fixes GH-22122
diff --git a/Zend/zend_API.h b/Zend/zend_API.h
@@ -849,7 +849,21 @@ static zend_always_inline void zend_call_known_fcc(
 		memcpy(func, fcc->function_handler, sizeof(zend_function));
 		zend_string_addref(func->op_array.function_name);
 	}
+	zend_object *pinned_object = fcc->object;
+	zend_object *pinned_closure = fcc->closure;
+	if (pinned_object) {
+		GC_ADDREF(pinned_object);
+	}
+	if (pinned_closure) {
+		GC_ADDREF(pinned_closure);
+	}
 	zend_call_known_function(func, fcc->object, fcc->called_scope, retval_ptr, param_count, params, named_params);
+	if (pinned_object) {
+		OBJ_RELEASE(pinned_object);
+	}
+	if (pinned_closure) {
+		OBJ_RELEASE(pinned_closure);
+	}
 }
 
 /* Call the provided zend_function instance method on an object. */
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
@@ -2074,6 +2074,7 @@ ZEND_METHOD(ReflectionFunction, invoke)
 	fcc.function_handler = fptr;
 	fcc.called_scope = NULL;
 	fcc.object = NULL;
+	fcc.closure = NULL;
 
 	if (!Z_ISUNDEF(intern->obj)) {
 		Z_OBJ_HT(intern->obj)->get_closure(
@@ -2113,6 +2114,7 @@ ZEND_METHOD(ReflectionFunction, invokeArgs)
 	fcc.function_handler = fptr;
 	fcc.called_scope = NULL;
 	fcc.object = NULL;
+	fcc.closure = NULL;
 
 	if (!Z_ISUNDEF(intern->obj)) {
 		Z_OBJ_HT(intern->obj)->get_closure(
diff --git a/ext/spl/php_spl.c b/ext/spl/php_spl.c
@@ -439,7 +439,21 @@ static zend_class_entry *spl_perform_autoload(zend_string *class_name, zend_stri
 
 		zval param;
 		ZVAL_STR(&param, class_name);
+		zend_object *pinned_obj = alfi->obj;
+		zend_object *pinned_closure = alfi->closure;
+		if (pinned_obj) {
+			GC_ADDREF(pinned_obj);
+		}
+		if (pinned_closure) {
+			GC_ADDREF(pinned_closure);
+		}
 		zend_call_known_function(func, alfi->obj, alfi->ce, NULL, 1, &param, NULL);
+		if (pinned_obj) {
+			OBJ_RELEASE(pinned_obj);
+		}
+		if (pinned_closure) {
+			OBJ_RELEASE(pinned_closure);
+		}
 		if (EG(exception)) {
 			break;
 		}
diff --git a/ext/spl/tests/gh22060.phpt b/ext/spl/tests/gh22060.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-22060 (Class autoloader $this freed via spl_autoload_unregister during dispatch)
+--FILE--
+<?php
+
+class Loader {
+    public string $data = "loader-data";
+
+    public function load(string $class): void {
+        spl_autoload_unregister([$this, 'load']);
+        echo $this->data, "\n";
+    }
+}
+
+$obj = new Loader();
+spl_autoload_register([$obj, 'load']);
+unset($obj);
+
+try {
+    new NonExistentClass42();
+} catch (\Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+loader-data
+Error: Class "NonExistentClass42" not found
diff --git a/ext/sqlite3/tests/gh22122.phpt b/ext/sqlite3/tests/gh22122.phpt
@@ -0,0 +1,54 @@
+--TEST--
+GH-22122 (Use-after-free in SQLite3 authorizer when callback releases the authorizer)
+--EXTENSIONS--
+sqlite3
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+
+/* Method receiver - the reported UAF shape. */
+class Auth {
+    public string $state = "alive";
+
+    public function authorize(int $action, ...$args): int {
+        global $db;
+        $db->setAuthorizer(null);
+        echo "method: ", $this->state, "\n";
+        return SQLite3::OK;
+    }
+}
+$auth = new Auth();
+$db->setAuthorizer([$auth, 'authorize']);
+unset($auth);
+$db->exec('SELECT 1');
+
+/* Closure receiver - exercises the saved_closure release path. */
+$capture = "closure-alive";
+$closure = function (int $action, ...$args) use (&$capture, $db): int {
+    $db->setAuthorizer(null);
+    echo "closure: ", $capture, "\n";
+    return SQLite3::OK;
+};
+$db->setAuthorizer($closure);
+unset($closure);
+$db->exec('SELECT 2');
+
+/* Confirm the authorizer was actually disabled by the callback (setAuthorizer null). */
+$db->exec('SELECT 3');
+echo "post-disable query ok\n";
+
+/* Throwing callback should propagate the user's exception without redundant warnings. */
+$db->setAuthorizer(function () { throw new RuntimeException("from authorizer"); });
+try {
+    @$db->exec('SELECT 4');
+} catch (RuntimeException $e) {
+    echo "throw: ", $e->getMessage(), "\n";
+}
+echo "done\n";
+?>
+--EXPECT--
+method: alive
+closure: closure-alive
+post-disable query ok
+throw: from authorizer
+done
