From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 12 Feb 2019 08:21:09 +0000 (+0300)
Subject: Fixed possible crash
X-Git-Tag: php-7.4.0alpha1~1072^2~9
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7d4de1a77e6d2f96232a68005cdee4866e3eeb58;p=php

Fixed possible crash
---

diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c
index 1a8f866520..e223a52a92 100644
--- a/ext/ffi/ffi.c
+++ b/ext/ffi/ffi.c
@@ -1138,10 +1138,16 @@ static void zend_ffi_cdata_write_dim(zval *object, zval *offset, zval *value) /*
 {
 	zend_ffi_cdata *cdata = (zend_ffi_cdata*)Z_OBJ_P(object);
 	zend_ffi_type  *type = ZEND_FFI_TYPE(cdata->type);
-	zend_long       dim = zval_get_long(offset);
+	zend_long       dim;
 	void           *ptr;
 	zend_ffi_flags  is_const;
 
+	if (offset == NULL) {
+		zend_throw_error(zend_ffi_exception_ce, "Cannot add next element to object of type FFI\\CData");
+		return;
+	}
+	
+	dim = zval_get_long(offset);
 	if (EXPECTED(type->kind == ZEND_FFI_TYPE_ARRAY)) {
 		if (UNEXPECTED((zend_ulong)(dim) >= (zend_ulong)type->array.length)
 		 && (UNEXPECTED(dim < 0) || UNEXPECTED(type->array.length != 0))) {
diff --git a/ext/ffi/tests/042.phpt b/ext/ffi/tests/042.phpt
new file mode 100644
index 0000000000..05450d5727
--- /dev/null
+++ b/ext/ffi/tests/042.phpt
@@ -0,0 +1,16 @@
+--TEST--
+FFI 042: Next array element
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+$a = FFI::new("uint8_t[8]");
+$a[] = 0;
+?>
+--EXPECTF--
+Fatal error: Uncaught FFI\Exception: Cannot add next element to object of type FFI\CData in %sext/ffi/tests/042.php:3
+Stack trace:
+#0 {main}
+  thrown in %sext/ffi/tests/042.php on line 3
\ No newline at end of file