From 1949a26aaca692840a6f272b45bf1cc155ee4c73 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 27 Feb 2020 12:53:55 +0100
Subject: [PATCH] Remove more null arithmetic UB

Introduce an EX_NUM_TO_VAR macro to mirror EX_VAR_TO_NUM and
replace usages of the ZEND_CALL_VAR_NUM(NULL) pattern.
---
 Zend/zend_compile.h                             |  1 +
 Zend/zend_opcode.c                              |  6 +++---
 ext/opcache/Optimizer/zend_optimizer_internal.h |  2 +-
 ext/opcache/jit/zend_jit_x86.dasc               | 13 ++++++-------
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
index 97ce2b9415..319ef51bcb 100644
--- a/Zend/zend_compile.h
+++ b/Zend/zend_compile.h
@@ -578,6 +578,7 @@ struct _zend_execute_data {
 #define EX_VAR_NUM(n)			ZEND_CALL_VAR_NUM(execute_data, n)
 
 #define EX_VAR_TO_NUM(n)		((uint32_t)((n) / sizeof(zval) - ZEND_CALL_FRAME_SLOT))
+#define EX_NUM_TO_VAR(n)		((uint32_t)((n + ZEND_CALL_FRAME_SLOT) * sizeof(zval)))
 
 #define ZEND_OPLINE_TO_OFFSET(opline, target) \
 	((char*)(target) - (char*)(opline))
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index 881626b71e..4ebe92fa95 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -1035,15 +1035,15 @@ ZEND_API int pass_two(zend_op_array *op_array)
 		if (opline->op1_type == IS_CONST) {
 			ZEND_PASS_TWO_UPDATE_CONSTANT(op_array, opline, opline->op1);
 		} else if (opline->op1_type & (IS_VAR|IS_TMP_VAR)) {
-			opline->op1.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->op1.var);
+			opline->op1.var = EX_NUM_TO_VAR(op_array->last_var + opline->op1.var);
 		}
 		if (opline->op2_type == IS_CONST) {
 			ZEND_PASS_TWO_UPDATE_CONSTANT(op_array, opline, opline->op2);
 		} else if (opline->op2_type & (IS_VAR|IS_TMP_VAR)) {
-			opline->op2.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->op2.var);
+			opline->op2.var = EX_NUM_TO_VAR(op_array->last_var + opline->op2.var);
 		}
 		if (opline->result_type & (IS_VAR|IS_TMP_VAR)) {
-			opline->result.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->result.var);
+			opline->result.var = EX_NUM_TO_VAR(op_array->last_var + opline->result.var);
 		}
 		ZEND_VM_SET_OPCODE_HANDLER(opline);
 		opline++;
diff --git a/ext/opcache/Optimizer/zend_optimizer_internal.h b/ext/opcache/Optimizer/zend_optimizer_internal.h
index 270a85c89a..5207e6cb74 100644
--- a/ext/opcache/Optimizer/zend_optimizer_internal.h
+++ b/ext/opcache/Optimizer/zend_optimizer_internal.h
@@ -31,7 +31,7 @@
 #define ZEND_OP2_JMP_ADDR(opline)		OP_JMP_ADDR(opline, (opline)->op2)
 
 #define VAR_NUM(v) EX_VAR_TO_NUM(v)
-#define NUM_VAR(v) ((uint32_t)(zend_uintptr_t)ZEND_CALL_VAR_NUM(0, v))
+#define NUM_VAR(v) EX_NUM_TO_VAR(v)
 
 #define INV_COND(op)       ((op) == ZEND_JMPZ    ? ZEND_JMPNZ    : ZEND_JMPZ)
 #define INV_EX_COND(op)    ((op) == ZEND_JMPZ_EX ? ZEND_JMPNZ    : ZEND_JMPZ)
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 3b6e3b26f5..4140ea81dc 100644
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -2718,7 +2718,7 @@ static int zend_jit_load_reg(dasm_State **Dst, zend_jit_addr src, zend_jit_addr
 static int zend_jit_store_var(dasm_State **Dst, uint32_t info, int var, zend_reg reg)
 {
 	zend_jit_addr src = ZEND_ADDR_REG(reg);
-	zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, var));
+	zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, EX_NUM_TO_VAR(var));
 
 	return zend_jit_spill_store(Dst, src, dst, info, 1);
 }
@@ -2751,7 +2751,7 @@ static int zend_jit_store_var_if_necessary_ex(dasm_State **Dst, int var, zend_ji
 
 static int zend_jit_load_var(dasm_State **Dst, uint32_t info, int var, zend_reg reg)
 {
-	zend_jit_addr src = ZEND_ADDR_MEM_ZVAL(ZREG_FP, (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, var));
+	zend_jit_addr src = ZEND_ADDR_MEM_ZVAL(ZREG_FP, EX_NUM_TO_VAR(var));
 	zend_jit_addr dst = ZEND_ADDR_REG(reg);
 
 	return zend_jit_load_reg(Dst, src, dst, info);
@@ -6971,7 +6971,7 @@ static int zend_jit_do_fcall(dasm_State **Dst, const zend_op *opline, const zend
 
 		if (func) {
 			for (i = call_info->num_args; i < func->op_array.last_var; i++) {
-				uint32_t n = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);
+				uint32_t n = EX_NUM_TO_VAR(i);
 				|	SET_Z_TYPE_INFO RX + n, IS_UNDEF
 			}
 		}
@@ -7189,7 +7189,7 @@ static int zend_jit_do_fcall(dasm_State **Dst, const zend_op *opline, const zend
 		|	// zend_vm_stack_free_args(call);
 		if (func) {
 			for (i = 0; i < call_info->num_args; i++ ) {
-				uint32_t offset = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);
+				uint32_t offset = EX_NUM_TO_VAR(i);
 				|	ZVAL_PTR_DTOR ZEND_ADDR_MEM_ZVAL(ZREG_RX, offset), MAY_BE_ANY|MAY_BE_RC1|MAY_BE_RCN, 0, 1, 0, opline
 			}
 		} else {
@@ -7909,8 +7909,7 @@ static int zend_jit_free_compiled_variables(dasm_State **Dst, const zend_op *opl
 					const zend_op *opline = op_array->opcodes + ssa->cfg.blocks[j].start + ssa->cfg.blocks[j].len - 1;
 
 					if (opline->opcode == ZEND_RETURN) {
-						if (opline->op1_type == IS_CV &&
-						    opline->op1.var == (uint32_t)(uintptr_t)(ZEND_CALL_VAR_NUM(NULL, i))) {
+						if (opline->op1_type == IS_CV && opline->op1.var == EX_NUM_TO_VAR(i)) {
 							info |= MAY_BE_RCN;
 							break;
 						}
@@ -7921,7 +7920,7 @@ static int zend_jit_free_compiled_variables(dasm_State **Dst, const zend_op *opl
 #endif
 
 		if (info & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF)) {
-			uint32_t offset = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);
+			uint32_t offset = EX_NUM_TO_VAR(i);
 			| ZVAL_PTR_DTOR ZEND_ADDR_MEM_ZVAL(ZREG_FP, offset), info, 1, 1, 0, opline
 		}
 	}
-- 
2.40.0