Fix bug #72767

The page size calculation did not account for the size of the
stack header (or rather it did account for it, but in the wrong
direction...)

diff --git a/NEWS b/NEWS
index 7a82e02c527db0c9c0f9fcbd5edb1c4c76ec07fb..623f31e2008067a87d3b1dd167fc74da1ca7ca7e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016 PHP 7.0.11
 
+- Core:
+  . Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
+    (Nikita)
+
 - GD:
   . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb)
 

diff --git a/Zend/tests/bug72767.phpt b/Zend/tests/bug72767.phpt
new file mode 100644 (file)
index 0000000..20b559b
--- /dev/null
+++ b/Zend/tests/bug72767.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #72767: PHP Segfaults when trying to expand an infinite operator
+--FILE--
+<?php
+
+function test() {}
+$iterator = new LimitIterator(
+    new InfiniteIterator(new ArrayIterator([42])),
+    0, 17000
+);
+test(...$iterator);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index af90b442f002c6b722ad91588e6a0e5f50e9ad13..a7df948da20ee1b9040503f6764974267382d222 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -145,7 +145,8 @@ static const zend_internal_function zend_pass_function = {
        ((ZEND_VM_STACK_PAGE_SLOTS(gen) - ZEND_VM_STACK_HEADER_SLOTS) * sizeof(zval))
 
 #define ZEND_VM_STACK_PAGE_ALIGNED_SIZE(gen, size) \
-       (((size) + (ZEND_VM_STACK_FREE_PAGE_SIZE(gen) - 1)) & ~(ZEND_VM_STACK_PAGE_SIZE(gen) - 1))
+       (((size) + ZEND_VM_STACK_HEADER_SLOTS * sizeof(zval) \
+         + (ZEND_VM_STACK_PAGE_SIZE(gen) - 1)) & ~(ZEND_VM_STACK_PAGE_SIZE(gen) - 1))
 
 static zend_always_inline zend_vm_stack zend_vm_stack_new_page(size_t size, zend_vm_stack prev) {
        zend_vm_stack page = (zend_vm_stack)emalloc(size);