Fix GH-20482: heap use-after-free in ZEND_ASSIGN_DIM via re-entrant user output handler

When ZEND_ASSIGN_DIM evaluates an undefined CV as the RHS, the warning
emitted by zval_undefined_cv() can be routed through a user output
handler (e.g. via ob_start with a small chunk size). The handler runs
arbitrary PHP code, which may free, unset or rehash the array we are
writing to, leaving the previously-fetched variable_ptr pointing into
freed/relocated memory. The next zend_assign_to_variable_ex then
performs a heap use-after-free.

In the OP2_TYPE != IS_UNUSED branch:

- Switch GET_OP_DATA_ZVAL_PTR to GET_OP_DATA_ZVAL_PTR_UNDEF so we no
  longer auto-emit the warning. Detect IS_UNDEF explicitly and call
  zval_undefined_cv around a temporary GC_ADDREF / GC_DELREF on the
  target HashTable, mirroring the IS_UNUSED branch and the previous
  fix in slow_index_convert (b594a95).
- Reorder the pipeline: fetch the data value (and emit the warning)
  *before* resolving variable_ptr. Resolving the dim address only
  afterwards guarantees a fresh bucket pointer that cannot have been
  invalidated by reentrant user code freeing the array, rehashing it
  or unsetting keys.

Includes phpt regressions covering the three reentrancy paths:
- output handler reassigns the array,
- output handler unsets the array,
- output handler rehashes the array (would invalidate any pre-fetched
  bucket pointer).

Author: lacatoire

NEWS

@@ -18,6 +18,9 @@ PHP                                                                        NEWS
     initialization). (Arnaud)
   . Enabled the TAILCALL VM on Windows when compiling with Clang >= 19 x86_64.
     (henderkes)
+  . Fixed bug GH-20482 (Heap use-after-free in ZEND_ASSIGN_DIM when a user
+    output handler clobbers the array during the undefined-variable
+    warning). (lacatoire)
 
 - BCMath:
   . Added NUL-byte validation to BCMath functions. (jorgsowa)

Zend/tests/gh20482_assign_dim_uaf_output_handler.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-20482: heap use-after-free in ZEND_ASSIGN_DIM when an output handler clobbers the array during the undefined-variable warning
+--FILE--
+<?php
+$a = [1, 2, 3];
+
+// Chunk size 1 forces the handler to run synchronously when the warning
+// emitted by the undefined RHS is buffered.
+ob_start(function () use (&$a) {
+    // Drop the only reference to the original array, freeing it.
+    $a = "freed";
+    return '';
+}, 1);
+
+// $undef is undefined: emitting the "Undefined variable" warning recurses
+// into the output handler above, which frees $a. Without the fix the next
+// store would write into the freed bucket.
+$a[0] = $undef;
+
+ob_end_clean();
+var_dump($a);
+echo "ok\n";
+?>
+--EXPECT--
+string(5) "freed"
+ok

Zend/tests/gh20482_assign_dim_uaf_output_handler_mutate_via_ref.phpt

@@ -0,0 +1,29 @@
+--TEST--
+GH-20482: ZEND_ASSIGN_DIM does not crash when the output handler mutates the array via a reference during the undefined-variable warning
+--FILE--
+<?php
+$a = ['existing' => 0];
+
+ob_start(function () use (&$a) {
+    // Mutate the array many times via the reference. Each nested
+    // ZEND_ASSIGN_DIM observes the temporary refcount bump from the outer
+    // handler and SEPARATEs the array, so the writes land in a duplicate;
+    // the outer assignment is then aborted cleanly via assign_dim_error
+    // when the original drops to refcount 0. The point of the test is
+    // simply that the whole thing must not UAF or crash, regardless of
+    // which array $a ends up pointing at.
+    for ($i = 0; $i < 64; $i++) {
+        $a["k$i"] = $i;
+    }
+    return '';
+}, 1);
+
+$a['target'] = $undef;
+
+ob_end_clean();
+var_dump(count($a) >= 65);
+echo "ok\n";
+?>
+--EXPECT--
+bool(true)
+ok

Zend/zend_vm_def.h

@@ -2730,16 +2730,37 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
 				}
 			}
 		} else {
+			HashTable *ht = Z_ARRVAL_P(object_ptr);
 			dim = GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
+			/* Order is critical: fetch the data value (which may emit an
+			 * "Undefined variable" warning that can recurse into user code
+			 * via a user output handler) before resolving variable_ptr.
+			 * Resolving variable_ptr only afterwards guarantees a fresh
+			 * bucket pointer that cannot have been invalidated by user
+			 * code freeing the array, rehashing it, or unsetting keys. */
+			value = GET_OP_DATA_ZVAL_PTR_UNDEF(BP_VAR_R);
+			if (OP_DATA_TYPE == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
+				/* Temporarily addref the array around the warning so we
+				 * can detect a full destruction (last ref dropped by
+				 * reentrant user code) and bail out cleanly. Mirrors the
+				 * IS_UNUSED branch above. */
+				if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
+					GC_ADDREF(ht);
+				}
+				value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
+				if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
+					zend_array_destroy(ht);
+					ZEND_VM_C_GOTO(assign_dim_error);
+				}
+			}
 			if (OP2_TYPE == IS_CONST) {
-				variable_ptr = zend_fetch_dimension_address_inner_W_CONST(Z_ARRVAL_P(object_ptr), dim EXECUTE_DATA_CC);
+				variable_ptr = zend_fetch_dimension_address_inner_W_CONST(ht, dim EXECUTE_DATA_CC);
 			} else {
-				variable_ptr = zend_fetch_dimension_address_inner_W(Z_ARRVAL_P(object_ptr), dim EXECUTE_DATA_CC);
+				variable_ptr = zend_fetch_dimension_address_inner_W(ht, dim EXECUTE_DATA_CC);
 			}
 			if (UNEXPECTED(variable_ptr == NULL)) {
 				ZEND_VM_C_GOTO(assign_dim_error);
 			}
-			value = GET_OP_DATA_ZVAL_PTR(BP_VAR_R);
 			value = zend_assign_to_variable_ex(variable_ptr, value, OP_DATA_TYPE, EX_USES_STRICT_TYPES(), &garbage);
 		}
 		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {