Allow pointer to end of memory in IS_UNSERIALIZED()

We already use <= for IS_SERIALIZED(), but the same general
problem can also occur for IS_UNSERIALIZED(). We don't seem to
hit this in practice prior to GH-5595 though.

diff --git a/ext/opcache/zend_file_cache.c b/ext/opcache/zend_file_cache.c
index 79487978647fc139b7478cf80f936d285712d5a0..d89c462df58cb248cca040e42b1fadc291d5ba2c 100644 (file)
--- a/ext/opcache/zend_file_cache.c
+++ b/ext/opcache/zend_file_cache.c
@@ -113,11 +113,13 @@ static int zend_file_cache_flock(int fd, int type)
 #define IS_SERIALIZED_INTERNED(ptr) \
        ((size_t)(ptr) & Z_UL(1))
 
-/* Allowing == here to account for a potential empty allocation at the end of the memory */
+/* Allowing == on the upper bound accounts for a potential empty allocation at the end of the
+ * memory region. This can also happen for a return-type-only arg_info, where &arg_info[1] is
+ * stored, which may point to the end of the region. */
 #define IS_SERIALIZED(ptr) \
        ((char*)(ptr) <= (char*)script->size)
 #define IS_UNSERIALIZED(ptr) \
-       (((char*)(ptr) >= (char*)script->mem && (char*)(ptr) < (char*)script->mem + script->size) || \
+       (((char*)(ptr) >= (char*)script->mem && (char*)(ptr) <= (char*)script->mem + script->size) || \
         IS_ACCEL_INTERNED(ptr))
 #define SERIALIZE_PTR(ptr) do { \
                if (ptr) { \