Merge branch 'PHP-8.2'

* PHP-8.2: Fix GH-11178: Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour Fix GH-9068: Conditional jump or move depends on uninitialised value(s)
2025-08-16 05:58:45 +02:00 · 2023-05-03 19:49:02 +02:00 · 2023-05-03 19:49:02 +02:00 · 001e278549
commit 001e278549
parent ef6bbaa1ec ab3f584a25
4 changed files with 75 additions and 14 deletions
--- a/Zend/zend_string.c
+++ b/Zend/zend_string.c
@ -380,11 +380,28 @@ ZEND_API void zend_interned_strings_switch_storage(bool request)
 # define I_REPLACE_SONAME_FNNAME_ZU(soname, fnname) _vgr00000ZU_ ## soname ## _ ## fnname
 #endif

-ZEND_API bool ZEND_FASTCALL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(const zend_string *s1, const zend_string *s2)
+/* See GH-9068 */
+#if defined(__GNUC__) && (__GNUC__ >= 11 || defined(__clang__)) && __has_attribute(no_caller_saved_registers)
+# define NO_CALLER_SAVED_REGISTERS __attribute__((no_caller_saved_registers))
+# ifndef __clang__
+#  pragma GCC push_options
+#  pragma GCC target ("general-regs-only")
+#  define POP_OPTIONS
+# endif
+#else
+# define NO_CALLER_SAVED_REGISTERS
+#endif
+
+ZEND_API bool ZEND_FASTCALL NO_CALLER_SAVED_REGISTERS I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(const zend_string *s1, const zend_string *s2)
 {
 	return !memcmp(ZSTR_VAL(s1), ZSTR_VAL(s2), ZSTR_LEN(s1));
 }

+#ifdef POP_OPTIONS
+# pragma GCC pop_options
+# undef POP_OPTIONS
+#endif
+
 #if defined(__GNUC__) && defined(__i386__)
 ZEND_API bool ZEND_FASTCALL zend_string_equal_val(const zend_string *s1, const zend_string *s2)
 {
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@ -1000,7 +1000,8 @@ static zval *spl_array_it_get_current_data(zend_object_iterator *iter) /* {{{ */
 		zend_hash_get_current_key_ex(aht, &key, NULL, spl_array_get_pos_ptr(aht, object));
 		zend_class_entry *ce = Z_OBJCE(object->array);
 		zend_property_info *prop_info = zend_get_property_info(ce, key, true);
-		if (ZEND_TYPE_IS_SET(prop_info->type)) {
+		ZEND_ASSERT(prop_info != ZEND_WRONG_PROPERTY_INFO);
+		if (EXPECTED(prop_info != NULL) && ZEND_TYPE_IS_SET(prop_info->type)) {
 			if (prop_info->flags & ZEND_ACC_READONLY) {
 				zend_throw_error(NULL,
 					"Cannot acquire reference to readonly property %s::$%s",
--- a/ext/spl/tests/gh11178.phpt
+++ b/ext/spl/tests/gh11178.phpt
@ -0,0 +1,28 @@
+--TEST--
+GH-11178 (Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18))
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class A implements IteratorAggregate {
+    function __construct() {
+        $this->{'x'} = 1;
+    }
+
+    function getIterator(): Traversable {
+        return new ArrayIterator($this);
+    }
+}
+
+$obj = new A;
+
+foreach ($obj as $k => &$v) {
+    $v = 3;
+}
+
+var_dump($obj);
+?>
+--EXPECT--
+object(A)#1 (1) {
+  ["x"]=>
+  &int(3)
+}
--- a/ext/standard/streamsfuncs.c
+++ b/ext/standard/streamsfuncs.c
@ -33,11 +33,13 @@
 #ifndef PHP_WIN32
 #define php_select(m, r, w, e, t)	select(m, r, w, e, t)
 typedef unsigned long long php_timeout_ull;
+#define PHP_TIMEOUT_ULL_MAX ULLONG_MAX
 #else
 #include "win32/select.h"
 #include "win32/sockets.h"
 #include "win32/console.h"
 typedef unsigned __int64 php_timeout_ull;
+#define PHP_TIMEOUT_ULL_MAX UINT64_MAX
 #endif

 #define GET_CTX_OPT(stream, wrapper, name, val) (PHP_STREAM_CONTEXT(stream) && NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), wrapper, name)))
@ -134,14 +136,21 @@ PHP_FUNCTION(stream_socket_client)
 	}

 	/* prepare the timeout value for use */
+	struct timeval *tv_pointer;
+	if (timeout < 0.0 || timeout >= (double) PHP_TIMEOUT_ULL_MAX / 1000000.0) {
+		tv_pointer = NULL;
+	} else {
 		conv = (php_timeout_ull) (timeout * 1000000.0);
 #ifdef PHP_WIN32
 		tv.tv_sec = (long)(conv / 1000000);
-	tv.tv_usec =(long)(conv % 1000000);
+		tv.tv_usec = (long)(conv % 1000000);
 #else
 		tv.tv_sec = conv / 1000000;
 		tv.tv_usec = conv % 1000000;
 #endif
+		tv_pointer = &tv;
+	}
+
 	if (zerrno) {
 		ZEND_TRY_ASSIGN_REF_LONG(zerrno, 0);
 	}
@ -152,7 +161,7 @@ PHP_FUNCTION(stream_socket_client)
 	stream = php_stream_xport_create(ZSTR_VAL(host), ZSTR_LEN(host), REPORT_ERRORS,
 			STREAM_XPORT_CLIENT | (flags & PHP_STREAM_CLIENT_CONNECT ? STREAM_XPORT_CONNECT : 0) |
 			(flags & PHP_STREAM_CLIENT_ASYNC_CONNECT ? STREAM_XPORT_CONNECT_ASYNC : 0),
-			hashkey, &tv, context, &errstr, &err);
+			hashkey, tv_pointer, context, &errstr, &err);


 	if (stream == NULL) {
@ -275,6 +284,10 @@ PHP_FUNCTION(stream_socket_accept)
 	php_stream_from_zval(stream, zstream);

 	/* prepare the timeout value for use */
+	struct timeval *tv_pointer;
+	if (timeout < 0.0 || timeout >= (double) PHP_TIMEOUT_ULL_MAX / 1000000.0) {
+		tv_pointer = NULL;
+	} else {
 		conv = (php_timeout_ull) (timeout * 1000000.0);
 #ifdef PHP_WIN32
 		tv.tv_sec = (long)(conv / 1000000);
@ -283,11 +296,13 @@ PHP_FUNCTION(stream_socket_accept)
 		tv.tv_sec = conv / 1000000;
 		tv.tv_usec = conv % 1000000;
 #endif
+		tv_pointer = &tv;
+	}

 	if (0 == php_stream_xport_accept(stream, &clistream,
 				zpeername ? &peername : NULL,
 				NULL, NULL,
-				&tv, &errstr
+				tv_pointer, &errstr
 				) && clistream) {

 		if (peername) {