]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 01c1afa)
Fixed bug #74084 (Out of bound read - zend_mm_alloc_small)
authorXinchen Hui <laruence@gmail.com>
Sun, 12 Feb 2017 12:34:08 +0000 (20:34 +0800)
committerXinchen Hui <laruence@gmail.com>
Sun, 12 Feb 2017 12:34:08 +0000 (20:34 +0800)
NEWS patch | blob | history
Zend/tests/bug74084.phpt [new file with mode: 0644] patch | blob
Zend/zend_operators.c patch | blob | history

diff --git a/NEWS b/NEWS
index 78277acb3d37ae0ee8d0f56d6d2c8b6b72261f1b..cbbc383edf42566eead1650fc7a734e7e3da8d17 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2017 PHP 7.0.17
 
 - Core:
+  . Fixed bug #74084 (Out of bound read - zend_mm_alloc_small). (Laruence)
   . Fixed bug #73807 (Performance problem with processing large post request).
     (Nikita)
   . Fixed bug #73998 (array_key_exists fails on arrays created by
diff --git a/Zend/tests/bug74084.phpt b/Zend/tests/bug74084.phpt
new file mode 100644 (file)
index 0000000..b27bbb4
--- /dev/null
+++ b/Zend/tests/bug74084.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #74084 (Out of bound read - zend_mm_alloc_small)
+--INI--
+error_reporting=0
+--FILE--
+<?php
+$$A += $$B->a = &$$C; 
+unset($$A);
+$$A -= $$B->a = &$$C; 
+unset($$A);
+$$A *= $$B->a = &$$C; 
+unset($$A);
+$$A /= $$B->a = &$$C; 
+unset($$A);
+$$A **= $$B->a = &$$C; 
+var_dump($$A);
+?>
+--EXPECT--
+int(1)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 07e635e495a2c7a8ce95bfb1604c5d0ef686d2e8..3a8929b83f9ffef543890ffc426f903acbf2740b 100644 (file)
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -926,8 +926,13 @@ ZEND_API int ZEND_FASTCALL add_function(zval *result, zval *op1, zval *op2) /* {
                                } else if (!converted) {
                                        ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_ADD, add_function);
 
-                                       zendi_convert_scalar_to_number(op1, op1_copy, result);
-                                       zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       if (EXPECTED(op1 != op2)) {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       } else {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               op2 = op1;
+                                       }
                                        converted = 1;
                                } else {
                                        zend_throw_error(NULL, "Unsupported operand types");
@@ -979,8 +984,13 @@ ZEND_API int ZEND_FASTCALL sub_function(zval *result, zval *op1, zval *op2) /* {
                                } else if (!converted) {
                                        ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_SUB, sub_function);
 
-                                       zendi_convert_scalar_to_number(op1, op1_copy, result);
-                                       zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       if (EXPECTED(op1 != op2)) {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       } else {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               op2 = op1;
+                                       }
                                        converted = 1;
                                } else {
                                        zend_throw_error(NULL, "Unsupported operand types");
@@ -1026,8 +1036,13 @@ ZEND_API int ZEND_FASTCALL mul_function(zval *result, zval *op1, zval *op2) /* {
                                } else if (!converted) {
                                        ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_MUL, mul_function);
 
-                                       zendi_convert_scalar_to_number(op1, op1_copy, result);
-                                       zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       if (EXPECTED(op1 != op2)) {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       } else {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               op2 = op1;
+                                       }
                                        converted = 1;
                                } else {
                                        zend_throw_error(NULL, "Unsupported operand types");
@@ -1104,17 +1119,27 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* {
                                } else if (!converted) {
                                        ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_POW, pow_function);
 
-                                       if (Z_TYPE_P(op1) == IS_ARRAY) {
-                                               ZVAL_LONG(result, 0);
-                                               return SUCCESS;
-                                       } else {
-                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
-                                       }
-                                       if (Z_TYPE_P(op2) == IS_ARRAY) {
-                                               ZVAL_LONG(result, 1L);
-                                               return SUCCESS;
+                                       if (EXPECTED(op1 != op2)) {
+                                               if (Z_TYPE_P(op1) == IS_ARRAY) {
+                                                       ZVAL_LONG(result, 0);
+                                                       return SUCCESS;
+                                               } else {
+                                                       zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               }
+                                               if (Z_TYPE_P(op2) == IS_ARRAY) {
+                                                       ZVAL_LONG(result, 1L);
+                                                       return SUCCESS;
+                                               } else {
+                                                       zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                               }
                                        } else {
-                                               zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                               if (Z_TYPE_P(op1) == IS_ARRAY) {
+                                                       ZVAL_LONG(result, 0);
+                                                       return SUCCESS;
+                                               } else {
+                                                       zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               }
+                                               op2 = op1;
                                        }
                                        converted = 1;
                                } else {
@@ -1178,9 +1203,13 @@ ZEND_API int ZEND_FASTCALL div_function(zval *result, zval *op1, zval *op2) /* {
                                        op2 = Z_REFVAL_P(op2);
                                } else if (!converted) {
                                        ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV, div_function);
-
-                                       zendi_convert_scalar_to_number(op1, op1_copy, result);
-                                       zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       if (EXPECTED(op1 != op2)) {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               zendi_convert_scalar_to_number(op2, op2_copy, result);
+                                       } else {
+                                               zendi_convert_scalar_to_number(op1, op1_copy, result);
+                                               op2 = op1;
+                                       }
                                        converted = 1;
                                } else {
                                        zend_throw_error(NULL, "Unsupported operand types");
Unnamed repository; edit this file 'description' to name the repository.