From 549a30d2cd7756abc5f5116dfebe217098ade5c5 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Tue, 7 Mar 2017 13:16:06 +0100 Subject: [PATCH] Fix out of bounds access in gc_find_additional_buffer() --- Zend/zend_gc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c index 0b9ce8ccc5b..badbf34c3df 100644 --- a/Zend/zend_gc.c +++ b/Zend/zend_gc.c @@ -275,9 +275,12 @@ static zend_always_inline gc_root_buffer* gc_find_additional_buffer(zend_refcoun /* We have to check each additional_buffer to find which one holds the ref */ while (additional_buffer) { - gc_root_buffer *root = additional_buffer->buf + (GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES); - if (root->ref == ref) { - return root; + uint32_t idx = GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES; + if (idx < additional_buffer->used) { + gc_root_buffer *root = additional_buffer->buf + idx; + if (root->ref == ref) { + return root; + } } additional_buffer = additional_buffer->next; }