From 0055f1e3dc7ec27778d6d3bd22404319b3ceeeca Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 30 Oct 2019 18:05:10 +0100
Subject: [PATCH] Fix #78761: Zend memory heap corruption with preload and
 casting

We have to reset `FFI_G(persistent)` back to zero when preloading has
finished.
---
 NEWS                               |  2 ++
 ext/ffi/ffi.c                      |  1 +
 ext/ffi/tests/bug78761.phpt        | 17 +++++++++++++++++
 ext/ffi/tests/bug78761_preload.h   |  0
 ext/ffi/tests/bug78761_preload.php |  3 +++
 5 files changed, 23 insertions(+)
 create mode 100644 ext/ffi/tests/bug78761.phpt
 create mode 100644 ext/ffi/tests/bug78761_preload.h
 create mode 100644 ext/ffi/tests/bug78761_preload.php

diff --git a/NEWS b/NEWS
index 17dd4756c1..b63d82438c 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ PHP                                                                        NEWS
   . Fixed bug #78716 (Function name mangling is wrong for some parameter 
     types). (cmb)
   . Fixed bug #78762 (Failing FFI::cast() may leak memory). (cmb)
+  . Fixed bug #78761 (Zend memory heap corruption with preload and casting).
+    (cmb)
   . Implement FR #78270 (Support __vectorcall convention with FFI). (cmb)
 
 - FPM:
diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c
index 08117cba83..369e6531ac 100644
--- a/ext/ffi/ffi.c
+++ b/ext/ffi/ffi.c
@@ -3340,6 +3340,7 @@ static zend_ffi *zend_ffi_load(const char *filename, zend_bool preload) /* {{{ *
 	efree(code);
 	FFI_G(symbols) = NULL;
 	FFI_G(tags) = NULL;
+	FFI_G(persistent) = 0;
 
 	return ffi;
 
diff --git a/ext/ffi/tests/bug78761.phpt b/ext/ffi/tests/bug78761.phpt
new file mode 100644
index 0000000000..1db977a841
--- /dev/null
+++ b/ext/ffi/tests/bug78761.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78761 (Zend memory heap corruption with preload and casting)
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--INI--
+opcache.enable_cli=1
+opcache.preload={PWD}/bug78761_preload.php
+--FILE--
+<?php
+try {
+    FFI::cast('char[10]', FFI::new('char[1]'));
+} catch (FFI\Exception $ex) {
+    echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+attempt to cast to larger type
diff --git a/ext/ffi/tests/bug78761_preload.h b/ext/ffi/tests/bug78761_preload.h
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/ext/ffi/tests/bug78761_preload.php b/ext/ffi/tests/bug78761_preload.php
new file mode 100644
index 0000000000..207b7c3ec8
--- /dev/null
+++ b/ext/ffi/tests/bug78761_preload.php
@@ -0,0 +1,3 @@
+<?php
+
+FFI::load(__DIR__ . '/bug78761_preload.h');
-- 
2.40.0