From 86ef8d54664553d6df2ac4c442dd0ceeff3e1c5a Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 30 Aug 2024 20:06:58 +0200 Subject: [PATCH] Fix GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c Closes GH-15666. --- NEWS | 4 ++++ Zend/Optimizer/zend_inference.c | 2 +- ext/opcache/tests/jit/gh15666.phpt | 21 +++++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 ext/opcache/tests/jit/gh15666.phpt diff --git a/NEWS b/NEWS index 603d71ff855..e534d3efcd8 100644 --- a/NEWS +++ b/NEWS @@ -30,6 +30,10 @@ PHP NEWS . Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb, Kamil Tekiela) +- Opcache: + . Fixed bug GH-15661 (Access null pointer in + Zend/Optimizer/zend_inference.c). (nielsdos) + - Standard: . Fixed bug GH-15552 (Signed integer overflow in ext/standard/scanf.c). (cmb) diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c index 600719cc6ce..322c10e6eeb 100644 --- a/Zend/Optimizer/zend_inference.c +++ b/Zend/Optimizer/zend_inference.c @@ -4910,7 +4910,7 @@ ZEND_API bool zend_may_throw_ex(const zend_op *opline, const zend_ssa_op *ssa_op return 0; case ZEND_BIND_GLOBAL: if ((opline+1)->opcode == ZEND_BIND_GLOBAL) { - return zend_may_throw(opline + 1, ssa_op + 1, op_array, ssa); + return zend_may_throw(opline + 1, ssa_op ? ssa_op + 1 : NULL, op_array, ssa); } return 0; case ZEND_ADD: diff --git a/ext/opcache/tests/jit/gh15666.phpt b/ext/opcache/tests/jit/gh15666.phpt new file mode 100644 index 00000000000..090003e055a --- /dev/null +++ b/ext/opcache/tests/jit/gh15666.phpt @@ -0,0 +1,21 @@ +--TEST-- +GH-15661 (Access null pointer in Zend/Optimizer/zend_inference.c) +--EXTENSIONS-- +opcache +--INI-- +opcache.jit=1201 +opcache.jit_buffer_size=64M +--FILE-- + +--EXPECT-- +Done