iluuu1994
diff --git a/‎Zend/tests/gh18845.phpt
Lines changed: 18 additions & 0 deletions b/‎Zend/tests/gh18845.phpt
Lines changed: 18 additions & 0 deletions
diff --git a/‎Zend/zend_object_handlers.c
Lines changed: 6 additions & 0 deletions b/‎Zend/zend_object_handlers.c
Lines changed: 6 additions & 0 deletions
@@ -0,0 +1,18 @@
+--TEST--
+GH-18845: Use-after-free of object through __isset() and globals
+--FILE--
+<?php
+
+class C {
+    public function __isset($x) {
+        $GLOBALS['c'] = null;
+        return true;
+    }
+}
+
+$c = new C;
+var_dump($c->prop ?? 1);
+
+?>
+--EXPECT--
+int(1)
@@ -905,7 +905,13 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 			if (zobj->ce->__get && !((*guard) & IN_GET)) {
 				goto call_getter;
 			}
+
+			bool obj_is_freed = GC_REFCOUNT(zobj) == 1;
 			OBJ_RELEASE(zobj);
+			if (UNEXPECTED(obj_is_freed)) {
+				retval = &EG(uninitialized_zval);
+				goto exit;
+			}
 		} else if (zobj->ce->__get && !((*guard) & IN_GET)) {
 			goto call_getter_addref;
 		}
Original file line number	Diff line number	Diff line change
`@@ -905,7 +905,13 @@ ZEND_API zval zend_std_read_property(zend_object zobj, zend_string *name, int`
`905`	`905`	`if (zobj->ce->__get && !((*guard) & IN_GET)) {`
`906`	`906`	`goto call_getter;`
`907`	`907`	`}`
	`908`	`+`
	`909`	`+ bool obj_is_freed = GC_REFCOUNT(zobj) == 1;`
`908`	`910`	`OBJ_RELEASE(zobj);`
	`911`	`+ if (UNEXPECTED(obj_is_freed)) {`
	`912`	`+ retval = &EG(uninitialized_zval);`
	`913`	`+ goto exit;`
	`914`	`+ }`
`909`	`915`	`} else if (zobj->ce->__get && !((*guard) & IN_GET)) {`
`910`	`916`	`goto call_getter_addref;`
`911`	`917`	`}`