From: Xinchen Hui <laruence@gmail.com>
Date: Sun, 12 Feb 2017 12:34:08 +0000 (+0800)
Subject: Fixed bug #74084 (Out of bound read - zend_mm_alloc_small)
X-Git-Tag: php-7.0.17RC1~28
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=26fdebc63b642417820017e550d46c1b1f773504;p=php

Fixed bug #74084 (Out of bound read - zend_mm_alloc_small)
---

diff --git a/NEWS b/NEWS
index 78277acb3d..cbbc383edf 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2017 PHP 7.0.17
 
 - Core:
+  . Fixed bug #74084 (Out of bound read - zend_mm_alloc_small). (Laruence)
   . Fixed bug #73807 (Performance problem with processing large post request).
     (Nikita)
   . Fixed bug #73998 (array_key_exists fails on arrays created by
diff --git a/Zend/tests/bug74084.phpt b/Zend/tests/bug74084.phpt
new file mode 100644
index 0000000000..b27bbb4647
--- /dev/null
+++ b/Zend/tests/bug74084.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #74084 (Out of bound read - zend_mm_alloc_small)
+--INI--
+error_reporting=0
+--FILE--
+<?php
+$$A += $$B->a = &$$C; 
+unset($$A);
+$$A -= $$B->a = &$$C; 
+unset($$A);
+$$A *= $$B->a = &$$C; 
+unset($$A);
+$$A /= $$B->a = &$$C; 
+unset($$A);
+$$A **= $$B->a = &$$C; 
+var_dump($$A);
+?>
+--EXPECT--
+int(1)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 07e635e495..3a8929b83f 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -926,8 +926,13 @@ ZEND_API int ZEND_FASTCALL add_function(zval *result, zval *op1, zval *op2) /* {
 				} else if (!converted) {
 					ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_ADD, add_function);
 
-					zendi_convert_scalar_to_number(op1, op1_copy, result);
-					zendi_convert_scalar_to_number(op2, op2_copy, result);
+					if (EXPECTED(op1 != op2)) {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						zendi_convert_scalar_to_number(op2, op2_copy, result);
+					} else {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						op2 = op1;
+					}
 					converted = 1;
 				} else {
 					zend_throw_error(NULL, "Unsupported operand types");
@@ -979,8 +984,13 @@ ZEND_API int ZEND_FASTCALL sub_function(zval *result, zval *op1, zval *op2) /* {
 				} else if (!converted) {
 					ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_SUB, sub_function);
 
-					zendi_convert_scalar_to_number(op1, op1_copy, result);
-					zendi_convert_scalar_to_number(op2, op2_copy, result);
+					if (EXPECTED(op1 != op2)) {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						zendi_convert_scalar_to_number(op2, op2_copy, result);
+					} else {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						op2 = op1;
+					}
 					converted = 1;
 				} else {
 					zend_throw_error(NULL, "Unsupported operand types");
@@ -1026,8 +1036,13 @@ ZEND_API int ZEND_FASTCALL mul_function(zval *result, zval *op1, zval *op2) /* {
 				} else if (!converted) {
 					ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_MUL, mul_function);
 
-					zendi_convert_scalar_to_number(op1, op1_copy, result);
-					zendi_convert_scalar_to_number(op2, op2_copy, result);
+					if (EXPECTED(op1 != op2)) {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						zendi_convert_scalar_to_number(op2, op2_copy, result);
+					} else {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						op2 = op1;
+					}
 					converted = 1;
 				} else {
 					zend_throw_error(NULL, "Unsupported operand types");
@@ -1104,17 +1119,27 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* {
 				} else if (!converted) {
 					ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_POW, pow_function);
 
-					if (Z_TYPE_P(op1) == IS_ARRAY) {
-						ZVAL_LONG(result, 0);
-						return SUCCESS;
-					} else {
-						zendi_convert_scalar_to_number(op1, op1_copy, result);
-					}
-					if (Z_TYPE_P(op2) == IS_ARRAY) {
-						ZVAL_LONG(result, 1L);
-						return SUCCESS;
+					if (EXPECTED(op1 != op2)) {
+						if (Z_TYPE_P(op1) == IS_ARRAY) {
+							ZVAL_LONG(result, 0);
+							return SUCCESS;
+						} else {
+							zendi_convert_scalar_to_number(op1, op1_copy, result);
+						}
+						if (Z_TYPE_P(op2) == IS_ARRAY) {
+							ZVAL_LONG(result, 1L);
+							return SUCCESS;
+						} else {
+							zendi_convert_scalar_to_number(op2, op2_copy, result);
+						}
 					} else {
-						zendi_convert_scalar_to_number(op2, op2_copy, result);
+						if (Z_TYPE_P(op1) == IS_ARRAY) {
+							ZVAL_LONG(result, 0);
+							return SUCCESS;
+						} else {
+							zendi_convert_scalar_to_number(op1, op1_copy, result);
+						}
+						op2 = op1;
 					}
 					converted = 1;
 				} else {
@@ -1178,9 +1203,13 @@ ZEND_API int ZEND_FASTCALL div_function(zval *result, zval *op1, zval *op2) /* {
 					op2 = Z_REFVAL_P(op2);
 				} else if (!converted) {
 					ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV, div_function);
-
-					zendi_convert_scalar_to_number(op1, op1_copy, result);
-					zendi_convert_scalar_to_number(op2, op2_copy, result);
+					if (EXPECTED(op1 != op2)) {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						zendi_convert_scalar_to_number(op2, op2_copy, result);
+					} else {
+						zendi_convert_scalar_to_number(op1, op1_copy, result);
+						op2 = op1;
+					}
 					converted = 1;
 				} else {
 					zend_throw_error(NULL, "Unsupported operand types");