Fix out of bounds access in gc_find_additional_buffer()

author Nikita Popov <nikita.ppv@gmail.com>

Tue, 7 Mar 2017 12:16:06 +0000 (13:16 +0100)

committer Nikita Popov <nikita.ppv@gmail.com>

Tue, 7 Mar 2017 12:16:06 +0000 (13:16 +0100)
author Nikita Popov <nikita.ppv@gmail.com>
Tue, 7 Mar 2017 12:16:06 +0000 (13:16 +0100)
committer Nikita Popov <nikita.ppv@gmail.com>
Tue, 7 Mar 2017 12:16:06 +0000 (13:16 +0100)
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c

index 0b9ce8ccc5b6b1ba094f85d7be6c33738c663f4e..badbf34c3dff7f9fd5758629dd10712639d424ca 100644 (file)
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -275,9 +275,12 @@ static zend_always_inline gc_root_buffer* gc_find_additional_buffer(zend_refcoun
  
         /* We have to check each additional_buffer to find which one holds the ref */
         while (additional_buffer) {
-               gc_root_buffer *root = additional_buffer->buf + (GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES);
-               if (root->ref == ref) {
-                       return root;
+               uint32_t idx = GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES;
+               if (idx < additional_buffer->used) {
+                       gc_root_buffer *root = additional_buffer->buf + idx;
+                       if (root->ref == ref) {
+                               return root;
+                       }
                 }
                 additional_buffer = additional_buffer->next;
         }
author	Nikita Popov <nikita.ppv@gmail.com>
	Tue, 7 Mar 2017 12:16:06 +0000 (13:16 +0100)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Tue, 7 Mar 2017 12:16:06 +0000 (13:16 +0100)