Fix GH-21639: Protect frameless implode args

prateekbhujel · prateekbhujel · commit 35148db67f62 · 2026-04-20T11:16:49.000+05:45
diff --git a/ext/standard/string.c b/ext/standard/string.c
@@ -1084,8 +1084,12 @@ PHP_FUNCTION(implode)
 
 ZEND_FRAMELESS_FUNCTION(implode, 1)
 {
+	zval arg1_tmp;
 	zval *pieces;
 
+	ZVAL_COPY_DEREF(&arg1_tmp, arg1);
+	arg1 = &arg1_tmp;
+
 	/* Manual parsing for more accurate error message. */
 	if (!zend_parse_arg_array(arg1, &pieces, /* null_check */ false, /* or_object */ false)) { \
 		zend_type_error(
@@ -1101,14 +1105,22 @@ ZEND_FRAMELESS_FUNCTION(implode, 1)
 	php_implode(str, Z_ARR_P(pieces), return_value);
 
 flf_clean:;
+	zval_ptr_dtor(&arg1_tmp);
 }
 
 ZEND_FRAMELESS_FUNCTION(implode, 2)
 {
+	zval arg1_tmp;
+	zval arg2_tmp;
 	zval str_tmp;
 	zend_string *str;
 	zval *pieces;
 
+	ZVAL_COPY_DEREF(&arg1_tmp, arg1);
+	arg1 = &arg1_tmp;
+	ZVAL_COPY_DEREF(&arg2_tmp, arg2);
+	arg2 = &arg2_tmp;
+
 	Z_FLF_PARAM_STR(1, str, str_tmp);
 	Z_FLF_PARAM_ARRAY_OR_NULL(2, pieces);
 
@@ -1125,6 +1137,8 @@ ZEND_FRAMELESS_FUNCTION(implode, 2)
 
 flf_clean:;
 	Z_FLF_PARAM_FREE_STR(1, str_tmp);
+	zval_ptr_dtor(&arg2_tmp);
+	zval_ptr_dtor(&arg1_tmp);
 }
 
 #define STRTOK_TABLE(p) BG(strtok_table)[(unsigned char) *p]
diff --git a/ext/standard/tests/strings/gh21639.phpt b/ext/standard/tests/strings/gh21639.phpt
@@ -0,0 +1,59 @@
+--TEST--
+GH-21639: Frameless implode keeps volatile arguments alive
+--FILE--
+<?php
+class C {
+    public function __toString(): string {
+        global $separator, $pieces;
+
+        $separator = null;
+        $pieces = null;
+
+        return "C";
+    }
+}
+
+$separator = str_repeat(",", 1) . " ";
+$pieces = [new C(), 42];
+
+var_dump(implode($separator, $pieces));
+var_dump($separator, $pieces);
+
+class MutatingSeparator {
+    public function __toString(): string {
+        global $piecesFromSeparator;
+
+        $piecesFromSeparator = null;
+
+        return ", ";
+    }
+}
+
+$piecesFromSeparator = ["A", "B"];
+
+var_dump(implode(new MutatingSeparator(), $piecesFromSeparator));
+var_dump($piecesFromSeparator);
+
+class D {
+    public function __toString(): string {
+        global $oneArgPieces;
+
+        $oneArgPieces = null;
+
+        return "D";
+    }
+}
+
+$oneArgPieces = [new D(), 42];
+
+var_dump(implode($oneArgPieces));
+var_dump($oneArgPieces);
+?>
+--EXPECT--
+string(5) "C, 42"
+NULL
+NULL
+string(4) "A, B"
+NULL
+string(3) "D42"
+NULL
