mirror of
https://github.com/php/php-src.git
synced 2025-08-15 21:48:51 +02:00
Fix zend_jit_undefined_long_key overwriting dim when dim == result
Fixes oss-fuzz #64727 Closes GH-12900
This commit is contained in:
Ilija Tovilo
parent
ff22409082
commit
623da03845
3 changed files with 33 additions and 2 deletions
4
NEWS
4
NEWS
|
|
@ -6,6 +6,10 @@ PHP NEWS
|
|||
. Fix incorrect timeout in built-in web server when using router script and
|
||||
max_input_time. (ilutov)
|
||||
|
||||
- Opcache:
|
||||
. Fixed oss-fuzz #64727 (JIT undefined array key warning may overwrite DIM
|
||||
with NULL when DIM is the same var as result). (ilutov)
|
||||
|
||||
21 Dec 2023, PHP 8.2.14
|
||||
|
||||
- Core:
|
||||
|
|
|
|||
|
|
@ -205,7 +205,6 @@ void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D)
|
|||
zval *result = EX_VAR(opline->result.var);
|
||||
zval *dim;
|
||||
|
||||
ZVAL_NULL(result);
|
||||
if (opline->op2_type == IS_CONST) {
|
||||
dim = RT_CONSTANT(opline, opline->op2);
|
||||
} else {
|
||||
|
|
@ -213,6 +212,7 @@ void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D)
|
|||
}
|
||||
ZEND_ASSERT(Z_TYPE_P(dim) == IS_LONG);
|
||||
zend_error(E_WARNING, "Undefined array key " ZEND_LONG_FMT, Z_LVAL_P(dim));
|
||||
ZVAL_NULL(result);
|
||||
}
|
||||
|
||||
void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
|
||||
|
|
@ -222,7 +222,6 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
|
|||
zval *dim;
|
||||
zend_ulong lval;
|
||||
|
||||
ZVAL_NULL(result);
|
||||
if (opline->op2_type == IS_CONST) {
|
||||
dim = RT_CONSTANT(opline, opline->op2);
|
||||
} else {
|
||||
|
|
@ -234,6 +233,7 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
|
|||
} else {
|
||||
zend_error(E_WARNING, "Undefined array key \"%s\"", Z_STRVAL_P(dim));
|
||||
}
|
||||
ZVAL_NULL(result);
|
||||
}
|
||||
|
||||
ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_profile_helper(ZEND_OPCODE_HANDLER_ARGS)
|
||||
|
|
|
|||
27
ext/opcache/tests/jit/oss-fuzz-64727.phpt
Normal file
27
ext/opcache/tests/jit/oss-fuzz-64727.phpt
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
--TEST--
|
||||
oss-fuzz #64727
|
||||
--INI--
|
||||
opcache.enable_cli=1
|
||||
opcache.jit_buffer_size=64M
|
||||
opcache.jit=function
|
||||
--EXTENSIONS--
|
||||
opcache
|
||||
--FILE--
|
||||
<?php
|
||||
function test(){
|
||||
$a = null;
|
||||
$b = null;
|
||||
for($i = 0; $i < 2; $i++){
|
||||
$a = $a + $b;
|
||||
var_dump($a);
|
||||
$a = @[3][$a];
|
||||
var_dump($a);
|
||||
}
|
||||
}
|
||||
test();
|
||||
?>
|
||||
--EXPECT--
|
||||
int(0)
|
||||
int(3)
|
||||
int(3)
|
||||
NULL
|
||||
Loading…
Add table
Add a link
Reference in a new issue