archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 22:18:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed crash in ZEND_ASSIGN_DIM_OP because of array cloberring by user error handler

Browse source 
Fixes oss-fuzz #36214
This commit is contained in:
Dmitry Stogov 2021-11-30 23:33:34 +03:00
parent 2fb7b6e3e9
commit b594a95a2f
2 changed files with 80 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

29
Zend/zend_execute.c
View file

@ -2214,10 +2214,37 @@ static zend_never_inline zend_uchar slow_index_convert(HashTable *ht, const zval
value->str = ZSTR_EMPTY_ALLOC(); value->str = ZSTR_EMPTY_ALLOC();
return IS_STRING; return IS_STRING;
case IS_DOUBLE: case IS_DOUBLE:
value->lval = zend_dval_to_lval_safe(Z_DVAL_P(dim)); value->lval = zend_dval_to_lval(Z_DVAL_P(dim));
if (!zend_is_long_compatible(Z_DVAL_P(dim), value->lval)) {
/* The array may be destroyed while throwing the notice.
* Temporarily increase the refcount to detect this situation. */
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
zend_incompatible_double_to_long_error(Z_DVAL_P(dim));
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
return IS_NULL;
}
if (EG(exception)) {
return IS_NULL;
}
}
return IS_LONG; return IS_LONG;
case IS_RESOURCE: case IS_RESOURCE:
/* The array may be destroyed while throwing the notice.
* Temporarily increase the refcount to detect this situation. */
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
zend_use_resource_as_offset(dim); zend_use_resource_as_offset(dim);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
return IS_NULL;
}
if (EG(exception)) {
return IS_NULL;
}
value->lval = Z_RES_HANDLE_P(dim); value->lval = Z_RES_HANDLE_P(dim);
return IS_LONG; return IS_LONG;
case IS_FALSE: case IS_FALSE:

53
ext/opcache/jit/zend_jit_helpers.c
View file

@ -602,10 +602,61 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
offset_key = ZSTR_EMPTY_ALLOC(); offset_key = ZSTR_EMPTY_ALLOC();
goto str_index; goto str_index;
case IS_DOUBLE: case IS_DOUBLE:
hval = zend_dval_to_lval_safe(Z_DVAL_P(dim)); hval = zend_dval_to_lval(Z_DVAL_P(dim));
if (!zend_is_long_compatible(Z_DVAL_P(dim), hval)) {
/* The array may be destroyed while throwing the notice.
* Temporarily increase the refcount to detect this situation. */
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
execute_data = EG(current_execute_data);
opline = EX(opline);
zend_incompatible_double_to_long_error(Z_DVAL_P(dim));
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
if (EG(exception)) {
ZVAL_UNDEF(EX_VAR(opline->result.var));
} else {
ZVAL_NULL(EX_VAR(opline->result.var));
}
}
return NULL;
}
if (EG(exception)) {
if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
ZVAL_UNDEF(EX_VAR(opline->result.var));
}
return NULL;
}
}
goto num_index; goto num_index;
case IS_RESOURCE: case IS_RESOURCE:
/* The array may be destroyed while throwing the notice.
* Temporarily increase the refcount to detect this situation. */
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
execute_data = EG(current_execute_data);
opline = EX(opline);
zend_use_resource_as_offset(dim); zend_use_resource_as_offset(dim);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
if (EG(exception)) {
ZVAL_UNDEF(EX_VAR(opline->result.var));
} else {
ZVAL_NULL(EX_VAR(opline->result.var));
}
}
return NULL;
}
if (EG(exception)) {
if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
ZVAL_UNDEF(EX_VAR(opline->result.var));
}
return NULL;
}
hval = Z_RES_HANDLE_P(dim); hval = Z_RES_HANDLE_P(dim);
goto num_index; goto num_index;
case IS_FALSE: case IS_FALSE: