From: Nikita Popov Date: Fri, 5 Aug 2016 17:51:51 +0000 (+0200) Subject: Fix bug #72767 X-Git-Tag: php-7.1.0beta3~104^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=807e81937b290ddb71152196aae3bbaca9a53c7e;p=php Fix bug #72767 The page size calculation did not account for the size of the stack header (or rather it did account for it, but in the wrong direction...) --- diff --git a/NEWS b/NEWS index 7a82e02c52..623f31e200 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2016 PHP 7.0.11 +- Core: + . Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator). + (Nikita) + - GD: . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb) diff --git a/Zend/tests/bug72767.phpt b/Zend/tests/bug72767.phpt new file mode 100644 index 0000000000..20b559b2a1 --- /dev/null +++ b/Zend/tests/bug72767.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #72767: PHP Segfaults when trying to expand an infinite operator +--FILE-- + +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index af90b442f0..a7df948da2 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -145,7 +145,8 @@ static const zend_internal_function zend_pass_function = { ((ZEND_VM_STACK_PAGE_SLOTS(gen) - ZEND_VM_STACK_HEADER_SLOTS) * sizeof(zval)) #define ZEND_VM_STACK_PAGE_ALIGNED_SIZE(gen, size) \ - (((size) + (ZEND_VM_STACK_FREE_PAGE_SIZE(gen) - 1)) & ~(ZEND_VM_STACK_PAGE_SIZE(gen) - 1)) + (((size) + ZEND_VM_STACK_HEADER_SLOTS * sizeof(zval) \ + + (ZEND_VM_STACK_PAGE_SIZE(gen) - 1)) & ~(ZEND_VM_STACK_PAGE_SIZE(gen) - 1)) static zend_always_inline zend_vm_stack zend_vm_stack_new_page(size_t size, zend_vm_stack prev) { zend_vm_stack page = (zend_vm_stack)emalloc(size);