From e9cde67d47c2a432035f1d2766217efd00775fd8 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Mon, 24 Feb 2014 18:00:24 +0400 Subject: [PATCH] Fixed double free --- Zend/zend_vm_def.h | 4 ++- Zend/zend_vm_execute.h | 60 +++++++++++++++++++++++++++++++----------- 2 files changed, 48 insertions(+), 16 deletions(-) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index f34a080312..2950134cdd 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -509,7 +509,9 @@ ZEND_VM_HELPER_EX(zend_binary_assign_op_helper, VAR|UNUSED|CV, CONST|TMP|VAR|UNU if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } FREE_OP1_VAR_PTR(); CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 06d7092f0c..3269630cda 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -13954,7 +13954,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_VAR_CONST(int (*binar if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } if (free_op1.var) {zval_ptr_dtor_nogc(free_op1.var);}; CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -16347,7 +16349,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_VAR_TMP(int (*binary_ if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } if (free_op1.var) {zval_ptr_dtor_nogc(free_op1.var);}; CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -18322,7 +18326,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_VAR_VAR(int (*binary_ if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } if (free_op1.var) {zval_ptr_dtor_nogc(free_op1.var);}; CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -20408,7 +20414,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_VAR_UNUSED(int (*bina if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } if (free_op1.var) {zval_ptr_dtor_nogc(free_op1.var);}; CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -21775,7 +21783,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_VAR_CV(int (*binary_o if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } if (free_op1.var) {zval_ptr_dtor_nogc(free_op1.var);}; CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -23608,7 +23618,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_UNUSED_CONST(int (*bi if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -24949,7 +24961,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_UNUSED_TMP(int (*bina if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -26206,7 +26220,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_UNUSED_VAR(int (*bina if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -27463,7 +27479,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_UNUSED_UNUSED(int (*b if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -27862,7 +27880,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_UNUSED_CV(int (*binar if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -30577,7 +30597,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_CV_CONST(int (*binary if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -32751,7 +32773,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_CV_TMP(int (*binary_o if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -34600,7 +34624,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_CV_VAR(int (*binary_o if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -36560,7 +36586,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_CV_UNUSED(int (*binar if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); @@ -37795,7 +37823,9 @@ static int ZEND_FASTCALL zend_binary_assign_op_helper_SPEC_CV_CV(int (*binary_op if (opline->extended_value == ZEND_ASSIGN_DIM) { FREE_OP(free_op_data1); - FREE_OP_VAR_PTR(free_op_data2); + if (var_ptr != free_op_data2.var) { + FREE_OP_VAR_PTR(free_op_data2); + } CHECK_EXCEPTION(); ZEND_VM_INC_OPCODE(); -- 2.40.0