archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.0'

Browse source 
* PHP-8.0:
  Fix use after free on compound division by zero
This commit is contained in:
Nikita Popov 2021-07-07 09:38:57 +02:00
commit ce3846cd87
2 changed files with 22 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Zend/tests/div_by_zero_compound_refcounted.phpt Normal file
View file

@ -0,0 +1,16 @@
--TEST--
Division by zero in compound assignment with refcounted operand
--FILE--
<?php
$h = "1";
$h .= "2";
try {
$h /= 0;
} catch (DivisionByZeroError $e) {
echo $e->getMessage(), "\n";
}
var_dump($h);
?>
--EXPECT--
Division by zero
string(2) "12"

8
Zend/zend_operators.c
View file

@ -1358,7 +1358,7 @@ ZEND_API zend_result ZEND_FASTCALL div_function(zval *result, zval *op1, zval *o
ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV);
zval op1_copy, op2_copy;
zval result_copy, op1_copy, op2_copy;
if (UNEXPECTED(zendi_try_convert_scalar_to_number(op1, &op1_copy) == FAILURE)
|| UNEXPECTED(zendi_try_convert_scalar_to_number(op2, &op2_copy) == FAILURE)) {
zend_binop_error("/", op1, op2);
@ -1368,12 +1368,12 @@ ZEND_API zend_result ZEND_FASTCALL div_function(zval *result, zval *op1, zval *o
return FAILURE;
}
retval = div_function_base(&result_copy, &op1_copy, &op2_copy);
if (retval == SUCCESS) {
if (result == op1) {
zval_ptr_dtor(result);
}
retval = div_function_base(result, &op1_copy, &op2_copy);
if (retval == SUCCESS) {
ZVAL_COPY_VALUE(result, &result_copy);
return SUCCESS;
}