Merge branch 'PHP-8.3' into PHP-8.4

nielsdos · nielsdos · commit 07e418abfb08 · 2024-10-07T17:49:56.000+02:00
* PHP-8.3: Fix phpGH-16261: Reference invariant broken in mb_convert_variables()
diff --git a/NEWS b/NEWS
@@ -77,6 +77,10 @@ PHP                                                                        NEWS
   . Fix GH-16136 (Memory leak in php_ldap_do_modify() when entry is not a
     proper dictionary). (Girgias)
 
+- MBString:
+  . Fixed bug GH-16261 (Reference invariant broken in mb_convert_variables()).
+    (nielsdos)
+
 - Opcache:
   . Fixed bug GH-16009 (Segmentation fault with frameless functions and
     undefined CVs). (nielsdos)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -3770,7 +3770,22 @@ static bool mb_recursive_convert_variable(zval *var, const mbfl_encoding* from_e
 
 		HashTable *ht = HASH_OF(var);
 		if (ht != NULL) {
-			ZEND_HASH_FOREACH_VAL_IND(ht, entry) {
+			ZEND_HASH_FOREACH_VAL(ht, entry) {
+				/* Can be a typed property declaration, in which case we need to remove the reference from the source list.
+				 * Just using ZEND_TRY_ASSIGN_STRINGL is not sufficient because that would not unwrap the reference
+				 * and change values through references (see bug #26639). */
+				if (Z_TYPE_P(entry) == IS_INDIRECT) {
+					ZEND_ASSERT(Z_TYPE_P(var) == IS_OBJECT);
+
+					entry = Z_INDIRECT_P(entry);
+					if (Z_ISREF_P(entry) && Z_TYPE_P(Z_REFVAL_P(entry)) == IS_STRING) {
+						zend_property_info *info = zend_get_typed_property_info_for_slot(Z_OBJ_P(var), entry);
+						if (info) {
+							ZEND_REF_DEL_TYPE_SOURCE(Z_REF_P(entry), info);
+						}
+					}
+				}
+
 				if (mb_recursive_convert_variable(entry, from_encoding, to_encoding)) {
 					if (Z_REFCOUNTED_P(var)) {
 						Z_UNPROTECT_RECURSION_P(var);
diff --git a/ext/mbstring/tests/gh16261.phpt b/ext/mbstring/tests/gh16261.phpt
@@ -0,0 +1,44 @@
+--TEST--
+GH-16261 (Reference invariant broken in mb_convert_variables())
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+class Test {
+    public string $x;
+    public string $y;
+    public array $z;
+}
+$test = new Test;
+$ref = "hello";
+$ref2 = "world";
+$ref3 = [&$ref2];
+$test->x =& $ref;
+$test->z =& $ref3;
+mb_convert_variables("EUC-JP", "Shift_JIS", $test);
+
+class Test2 {
+    public function __construct(public string $x) {}
+}
+$test2 = new Test2("foo");
+
+mb_convert_variables("EUC-JP", "Shift_JIS", $test->x);
+
+var_dump($test, $test2);
+?>
+--EXPECT--
+object(Test)#1 (2) {
+  ["x"]=>
+  string(5) "hello"
+  ["y"]=>
+  uninitialized(string)
+  ["z"]=>
+  &array(1) {
+    [0]=>
+    string(5) "world"
+  }
+}
+object(Test2)#2 (1) {
+  ["x"]=>
+  string(3) "foo"
+}
