Fix out of bounds read in jit_fetch_obj_read

diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 8ed02ce899a9cd26a8cbb218069620356d7ec0b5..29cd6e22d31b53f9173434914bc436575fea9e12 100644 (file)
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -9642,11 +9642,12 @@ static int zend_jit_fetch_obj_read(dasm_State **Dst, zend_op *opline, zend_op_ar
        } else {
                op1_info = OP1_INFO();
                if (ssa->var_info && ssa->ops) {
-                       zend_ssa_var_info *op1_ssa =
-                               ssa->var_info + ssa->ops[opline - op_array->opcodes].op1_use;
-
-                       if (op1_ssa->ce && !op1_ssa->is_instanceof && !op1_ssa->ce->create_object) {
-                               ce = op1_ssa->ce;
+                       zend_ssa_op *ssa_op = &ssa->ops[opline - op_array->opcodes];
+                       if (ssa_op->op1_use >= 0) {
+                               zend_ssa_var_info *op1_ssa = ssa->var_info + ssa_op->op1_use;
+                               if (op1_ssa->ce && !op1_ssa->is_instanceof && !op1_ssa->ce->create_object) {
+                                       ce = op1_ssa->ce;
+                               }
                        }
                }
        }