Fix GH-22063: stream filter chain UAF on self-removal during callback

A stream filter struct must stay live while a fops->filter() callback
or chain iteration holds it. A php_user_filter that removes its own
resource inside filter() frees the struct under userfilter_filter
(&thisfilter->abstract deref) and under the three chain-walk sites
(current->next read). Defer pefree via an in_callback counter until
every C-level frame holding the filter releases it.

Closes GH-22063

Author: iliaal

ext/standard/streamsfuncs.c

@@ -1304,11 +1304,23 @@ PHP_FUNCTION(stream_filter_remove)
 		RETURN_THROWS();
 	}
 
-	if (php_stream_filter_flush(filter, 1) == FAILURE) {
+	filter->in_callback++;
+	zend_result flush_result = php_stream_filter_flush(filter, 1);
+	filter->in_callback--;
+
+	if (flush_result == FAILURE) {
+		if (filter->deferred_dtor && filter->in_callback == 0) {
+			php_stream_filter_free(filter);
+		}
 		php_error_docref(NULL, E_WARNING, "Unable to flush filter, not removing");
 		RETURN_FALSE;
 	}
 
+	if (filter->deferred_dtor && filter->in_callback == 0) {
+		php_stream_filter_free(filter);
+		RETURN_TRUE;
+	}
+
 	zend_list_close(Z_RES_P(zfilter));
 	php_stream_filter_remove(filter, 1);
 	RETURN_TRUE;

ext/standard/tests/streams/gh22063.phpt

@@ -0,0 +1,57 @@
+--TEST--
+GH-22063 (Stream filter chain UAF via self-removal during callback)
+--FILE--
+<?php
+class SelfRemovingFilter extends php_user_filter {
+    public $stream;
+    public static ?string $key = null;
+    public static bool $on_closing_only = false;
+
+    public function filter($in, $out, &$consumed, $closing): int
+    {
+        while ($bucket = stream_bucket_make_writeable($in)) {
+            $consumed += $bucket->datalen;
+            stream_bucket_append($out, $bucket);
+        }
+        if (self::$key !== null && (!self::$on_closing_only || $closing)) {
+            $res = $GLOBALS[self::$key];
+            self::$key = null;
+            stream_filter_remove($res);
+        }
+        return PSFS_PASS_ON;
+    }
+}
+
+stream_filter_register('self-removing', SelfRemovingFilter::class);
+
+echo "write side: ";
+$f = fopen('php://memory', 'r+');
+SelfRemovingFilter::$key = 'write_res';
+SelfRemovingFilter::$on_closing_only = false;
+$GLOBALS['write_res'] = stream_filter_append($f, 'self-removing', STREAM_FILTER_WRITE);
+fwrite($f, 'hello');
+fwrite($f, ' world');
+rewind($f);
+echo stream_get_contents($f), "\n";
+
+echo "read side: ";
+$f = fopen('php://memory', 'r+');
+fwrite($f, 'abcdefghij');
+rewind($f);
+SelfRemovingFilter::$key = 'read_res';
+SelfRemovingFilter::$on_closing_only = false;
+$GLOBALS['read_res'] = stream_filter_append($f, 'self-removing', STREAM_FILTER_READ);
+echo fread($f, 4), '|', fread($f, 6), "\n";
+
+echo "closing-flush side: ";
+$f = fopen('php://memory', 'r+');
+SelfRemovingFilter::$key = 'close_res';
+SelfRemovingFilter::$on_closing_only = true;
+$GLOBALS['close_res'] = stream_filter_append($f, 'self-removing', STREAM_FILTER_WRITE);
+stream_filter_remove($GLOBALS['close_res']);
+echo "ok\n";
+?>
+--EXPECT--
+write side: hello world
+read side: abcd|efghij
+closing-flush side: ok

main/streams/filter.c

@@ -465,10 +465,17 @@ PHPAPI zend_result _php_stream_filter_flush(php_stream_filter *filter, bool fini
 	chain = filter->chain;
 	stream = chain->stream;
 
-	for(current = filter; current; current = current->next) {
+	php_stream_filter *next_filter;
+	for (current = filter; current; current = next_filter) {
 		php_stream_filter_status_t status;
 
+		next_filter = current->next;
+		current->in_callback++;
 		status = current->fops->filter(stream, current, inp, outp, NULL, flags);
+		current->in_callback--;
+		if (current->deferred_dtor && current->in_callback == 0) {
+			php_stream_filter_free(current);
+		}
 		if (status == PSFS_FEED_ME) {
 			/* We've flushed the data far enough */
 			return SUCCESS;
@@ -550,6 +557,10 @@ PHPAPI php_stream_filter *php_stream_filter_remove(php_stream_filter *filter, bo
 	}
 
 	if (call_dtor) {
+		if (filter->in_callback) {
+			filter->deferred_dtor = true;
+			return NULL;
+		}
 		php_stream_filter_free(filter);
 		return NULL;
 	}

main/streams/php_stream_filter_api.h

@@ -130,6 +130,9 @@ struct _php_stream_filter {
 
 	/* filters are auto_registered when they're applied */
 	zend_resource *res;
+
+	uint32_t in_callback;
+	bool deferred_dtor;
 };
 
 /* stack filter onto a stream */

main/streams/streams.c

@@ -580,8 +580,15 @@ PHPAPI zend_result _php_stream_fill_read_buffer(php_stream *stream, size_t size)
 			}
 
 			/* wind the handle... */
-			for (filter = stream->readfilters.head; filter; filter = filter->next) {
+			php_stream_filter *next_filter;
+			for (filter = stream->readfilters.head; filter; filter = next_filter) {
+				next_filter = filter->next;
+				filter->in_callback++;
 				status = filter->fops->filter(stream, filter, brig_inp, brig_outp, NULL, flags);
+				filter->in_callback--;
+				if (filter->deferred_dtor && filter->in_callback == 0) {
+					php_stream_filter_free(filter);
+				}
 
 				if (status != PSFS_PASS_ON) {
 					break;
@@ -1233,11 +1240,18 @@ static ssize_t _php_stream_write_filtered(php_stream *stream, const char *buf, s
 		php_stream_bucket_append(&brig_in, bucket);
 	}
 
-	for (php_stream_filter *filter = stream->writefilters.head; filter; filter = filter->next) {
+	php_stream_filter *next_filter;
+	for (php_stream_filter *filter = stream->writefilters.head; filter; filter = next_filter) {
+		next_filter = filter->next;
 		/* for our return value, we are interested in the number of bytes consumed from
 		 * the first filter in the chain */
+		filter->in_callback++;
 		status = filter->fops->filter(stream, filter, brig_inp, brig_outp,
 				filter == stream->writefilters.head ? &consumed : NULL, flags);
+		filter->in_callback--;
+		if (filter->deferred_dtor && filter->in_callback == 0) {
+			php_stream_filter_free(filter);
+		}
 
 		if (status != PSFS_PASS_ON) {
 			break;