From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 24 Feb 2021 10:45:25 +0000 (+0100)
Subject: Allow pointer to end of memory in IS_UNSERIALIZED()
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=23afc62080588f612fa6c5d0ea217564930dab3d;p=php

Allow pointer to end of memory in IS_UNSERIALIZED()

We already use <= for IS_SERIALIZED(), but the same general
problem can also occur for IS_UNSERIALIZED(). We don't seem to
hit this in practice prior to GH-5595 though.
---

diff --git a/ext/opcache/zend_file_cache.c b/ext/opcache/zend_file_cache.c
index 7948797864..d89c462df5 100644
--- a/ext/opcache/zend_file_cache.c
+++ b/ext/opcache/zend_file_cache.c
@@ -113,11 +113,13 @@ static int zend_file_cache_flock(int fd, int type)
 #define IS_SERIALIZED_INTERNED(ptr) \
 	((size_t)(ptr) & Z_UL(1))
 
-/* Allowing == here to account for a potential empty allocation at the end of the memory */
+/* Allowing == on the upper bound accounts for a potential empty allocation at the end of the
+ * memory region. This can also happen for a return-type-only arg_info, where &arg_info[1] is
+ * stored, which may point to the end of the region. */
 #define IS_SERIALIZED(ptr) \
 	((char*)(ptr) <= (char*)script->size)
 #define IS_UNSERIALIZED(ptr) \
-	(((char*)(ptr) >= (char*)script->mem && (char*)(ptr) < (char*)script->mem + script->size) || \
+	(((char*)(ptr) >= (char*)script->mem && (char*)(ptr) <= (char*)script->mem + script->size) || \
 	 IS_ACCEL_INTERNED(ptr))
 #define SERIALIZE_PTR(ptr) do { \
 		if (ptr) { \