Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).

author Dmitry Stogov <dmitry@zend.com>

Wed, 4 Sep 2019 09:13:49 +0000 (12:13 +0300)

committer Dmitry Stogov <dmitry@zend.com>

Wed, 4 Sep 2019 09:13:49 +0000 (12:13 +0300)
author Dmitry Stogov <dmitry@zend.com>
Wed, 4 Sep 2019 09:13:49 +0000 (12:13 +0300)
committer Dmitry Stogov <dmitry@zend.com>
Wed, 4 Sep 2019 09:13:49 +0000 (12:13 +0300)
diff --git a/NEWS b/NEWS

index 3e61cc2ab5c80d0974d3e272b820af68a8cecbd6..1ae2e0397ca2845c9ac1e8b0295875948e0b493a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? ????, PHP 7.4.0RC2
  
+- FFI:
+  . Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)). (Dmitry)
+
  - Opcache:
    . Add opcache.preload_user INI directive. (Dmitry)
  
diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c

index 552d168fd69e2e30fe5fe897676521cdc7995510..81c34071a3932a4eefe056e2cffeea8dae7b0e82 100644 (file)
--- a/ext/ffi/ffi.c
+++ b/ext/ffi/ffi.c
@@ -160,6 +160,9 @@ typedef struct _zend_ffi {
  #define ZEND_FFI_TYPE_MAKE_OWNED(t) \
         ((zend_ffi_type*)(((uintptr_t)(t)) | ZEND_FFI_TYPE_OWNED))
  
+#define ZEND_FFI_SIZEOF_ARG \
+       MAX(FFI_SIZEOF_ARG, sizeof(double))
+
  typedef struct _zend_ffi_cdata {
         zend_object            std;
         zend_ffi_type         *type;
@@ -2614,12 +2617,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
                         arg_types = do_alloca(
                                 sizeof(ffi_type*) * EX_NUM_ARGS(), arg_types_use_heap);
                         arg_values = do_alloca(
-                               (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
+                               (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
                         n = 0;
                         if (type->func.args) {
                                 ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
                                         arg_type = ZEND_FFI_TYPE(arg_type);
-                                       arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
+                                       arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
                                         if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
                                                 free_alloca(arg_types, arg_types_use_heap);
                                                 free_alloca(arg_values, arg_values_use_heap);
@@ -2629,7 +2632,7 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
                                 } ZEND_HASH_FOREACH_END();
                         }
                         for (; n < EX_NUM_ARGS(); n++) {
-                               arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
+                               arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
                                 if (zend_ffi_pass_var_arg(EX_VAR_NUM(n), &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
                                         free_alloca(arg_types, arg_types_use_heap);
                                         free_alloca(arg_values, arg_values_use_heap);
@@ -2659,12 +2662,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
                         arg_types = do_alloca(
                                 (sizeof(ffi_type*) + sizeof(ffi_type)) * EX_NUM_ARGS(), arg_types_use_heap);
                         arg_values = do_alloca(
-                               (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
+                               (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
                         n = 0;
                         if (type->func.args) {
                                 ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
                                         arg_type = ZEND_FFI_TYPE(arg_type);
-                                       arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
+                                       arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
                                         if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
                                                 free_alloca(arg_types, arg_types_use_heap);
                                                 free_alloca(arg_values, arg_values_use_heap);
author	Dmitry Stogov <dmitry@zend.com>
	Wed, 4 Sep 2019 09:13:49 +0000 (12:13 +0300)
committer	Dmitry Stogov <dmitry@zend.com>
	Wed, 4 Sep 2019 09:13:49 +0000 (12:13 +0300)
NEWS		patch \| blob \| history
ext/ffi/ffi.c		patch \| blob \| history