Fix GH-20482: heap use-after-free in ZEND_ASSIGN_DIM via re-entrant user output handler

When ZEND_ASSIGN_DIM evaluates an undefined CV as the RHS, the warning
emitted by zval_undefined_cv() can be routed through a user output
handler (e.g. via ob_start with a small chunk size). The handler is
allowed to run arbitrary PHP code, including reassigning the variable
that holds the array we are writing to. That drops the array's last
reference and zend_array_destroy frees its buckets while the VM still
holds the previously-fetched variable_ptr, causing a UAF on the
subsequent zend_assign_to_variable_ex.

Mirror the protection already used in the IS_UNUSED branch of
ZEND_ASSIGN_DIM (and in slow_index_convert): temporarily addref the
target HashTable around zval_undefined_cv() so the array survives the
reentrant user code, then refetch the dimension address afterwards
(the previous variable_ptr may have been invalidated even when the
array as a whole survived, e.g. if user code added entries that
triggered a rehash).

Includes a phpt regression covering the output-handler reentrancy
path.

Author: lacatoire

NEWS

@@ -18,6 +18,9 @@ PHP                                                                        NEWS
     initialization). (Arnaud)
   . Enabled the TAILCALL VM on Windows when compiling with Clang >= 19 x86_64.
     (henderkes)
+  . Fixed bug GH-20482 (Heap use-after-free in ZEND_ASSIGN_DIM when a user
+    output handler clobbers the array during the undefined-variable
+    warning). (lacatoire)
 
 - BCMath:
   . Added NUL-byte validation to BCMath functions. (jorgsowa)

Zend/tests/gh20482_assign_dim_uaf_output_handler.phpt

@@ -0,0 +1,27 @@
+--TEST--
+GH-20482: Heap use-after-free in ZEND_ASSIGN_DIM when an output handler clobbers the array during the undefined-variable warning
+--FILE--
+<?php
+$a = [1, 2, 3];
+
+// Chunk size 1 forces the handler to run synchronously when the warning
+// emitted by the undefined RHS is buffered.
+ob_start(function () use (&$a) {
+    // Drop the only reference to the original array, freeing it.
+    $a = "freed";
+    return '';
+}, 1);
+
+// $undef is undefined: emitting the "Undefined variable" warning recurses
+// into the output handler above, which frees $a. Without the fix the next
+// store would write into the freed bucket.
+$a[0] = $undef;
+
+ob_end_clean();
+var_dump($a);
+echo "ok\n";
+?>
+--EXPECTF--
+%AWarning: Undefined variable $undef in %s on line %d
+string(5) "freed"
+ok

Zend/zend_vm_def.h

@@ -2730,16 +2730,33 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
 				}
 			}
 		} else {
+			HashTable *ht = Z_ARRVAL_P(object_ptr);
 			dim = GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
+			value = GET_OP_DATA_ZVAL_PTR_UNDEF(BP_VAR_R);
+			if (OP_DATA_TYPE == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
+				/* The undefined-variable warning may recurse into user code
+				 * (e.g. a user output handler) and clobber or destroy the
+				 * array we are about to write to. Temporarily addref the
+				 * array to detect destruction, and refetch the dim address
+				 * after the warning since the previous variable_ptr may have
+				 * been invalidated by hash table mutations. */
+				if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
+					GC_ADDREF(ht);
+				}
+				value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
+				if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
+					zend_array_destroy(ht);
+					ZEND_VM_C_GOTO(assign_dim_error);
+				}
+			}
 			if (OP2_TYPE == IS_CONST) {
-				variable_ptr = zend_fetch_dimension_address_inner_W_CONST(Z_ARRVAL_P(object_ptr), dim EXECUTE_DATA_CC);
+				variable_ptr = zend_fetch_dimension_address_inner_W_CONST(ht, dim EXECUTE_DATA_CC);
 			} else {
-				variable_ptr = zend_fetch_dimension_address_inner_W(Z_ARRVAL_P(object_ptr), dim EXECUTE_DATA_CC);
+				variable_ptr = zend_fetch_dimension_address_inner_W(ht, dim EXECUTE_DATA_CC);
 			}
 			if (UNEXPECTED(variable_ptr == NULL)) {
 				ZEND_VM_C_GOTO(assign_dim_error);
 			}
-			value = GET_OP_DATA_ZVAL_PTR(BP_VAR_R);
 			value = zend_assign_to_variable_ex(variable_ptr, value, OP_DATA_TYPE, EX_USES_STRICT_TYPES(), &garbage);
 		}
 		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {