Skip to content

Commit 26fdebc

Browse files
laruencelaruence
committed
Fixed bug #74084 (Out of bound read - zend_mm_alloc_small)
1 parent 01c1afa commit 26fdebc

File tree

3 files changed

+68
-19
lines changed

3 files changed

+68
-19
lines changed

NEWS

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ PHP NEWS
33
?? ??? 2017 PHP 7.0.17
44

55
- Core:
6+
. Fixed bug #74084 (Out of bound read - zend_mm_alloc_small). (Laruence)
67
. Fixed bug #73807 (Performance problem with processing large post request).
78
(Nikita)
89
. Fixed bug #73998 (array_key_exists fails on arrays created by

Zend/tests/bug74084.phpt

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
--TEST--
2+
Bug #74084 (Out of bound read - zend_mm_alloc_small)
3+
--INI--
4+
error_reporting=0
5+
--FILE--
6+
<?php
7+
$$A += $$B->a = &$$C;
8+
unset($$A);
9+
$$A -= $$B->a = &$$C;
10+
unset($$A);
11+
$$A *= $$B->a = &$$C;
12+
unset($$A);
13+
$$A /= $$B->a = &$$C;
14+
unset($$A);
15+
$$A **= $$B->a = &$$C;
16+
var_dump($$A);
17+
?>
18+
--EXPECT--
19+
int(1)

Zend/zend_operators.c

+48-19
Original file line numberDiff line numberDiff line change
@@ -926,8 +926,13 @@ ZEND_API int ZEND_FASTCALL add_function(zval *result, zval *op1, zval *op2) /* {
926926
} else if (!converted) {
927927
ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_ADD, add_function);
928928

929-
zendi_convert_scalar_to_number(op1, op1_copy, result);
930-
zendi_convert_scalar_to_number(op2, op2_copy, result);
929+
if (EXPECTED(op1 != op2)) {
930+
zendi_convert_scalar_to_number(op1, op1_copy, result);
931+
zendi_convert_scalar_to_number(op2, op2_copy, result);
932+
} else {
933+
zendi_convert_scalar_to_number(op1, op1_copy, result);
934+
op2 = op1;
935+
}
931936
converted = 1;
932937
} else {
933938
zend_throw_error(NULL, "Unsupported operand types");
@@ -979,8 +984,13 @@ ZEND_API int ZEND_FASTCALL sub_function(zval *result, zval *op1, zval *op2) /* {
979984
} else if (!converted) {
980985
ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_SUB, sub_function);
981986

982-
zendi_convert_scalar_to_number(op1, op1_copy, result);
983-
zendi_convert_scalar_to_number(op2, op2_copy, result);
987+
if (EXPECTED(op1 != op2)) {
988+
zendi_convert_scalar_to_number(op1, op1_copy, result);
989+
zendi_convert_scalar_to_number(op2, op2_copy, result);
990+
} else {
991+
zendi_convert_scalar_to_number(op1, op1_copy, result);
992+
op2 = op1;
993+
}
984994
converted = 1;
985995
} else {
986996
zend_throw_error(NULL, "Unsupported operand types");
@@ -1026,8 +1036,13 @@ ZEND_API int ZEND_FASTCALL mul_function(zval *result, zval *op1, zval *op2) /* {
10261036
} else if (!converted) {
10271037
ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_MUL, mul_function);
10281038

1029-
zendi_convert_scalar_to_number(op1, op1_copy, result);
1030-
zendi_convert_scalar_to_number(op2, op2_copy, result);
1039+
if (EXPECTED(op1 != op2)) {
1040+
zendi_convert_scalar_to_number(op1, op1_copy, result);
1041+
zendi_convert_scalar_to_number(op2, op2_copy, result);
1042+
} else {
1043+
zendi_convert_scalar_to_number(op1, op1_copy, result);
1044+
op2 = op1;
1045+
}
10311046
converted = 1;
10321047
} else {
10331048
zend_throw_error(NULL, "Unsupported operand types");
@@ -1104,17 +1119,27 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* {
11041119
} else if (!converted) {
11051120
ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_POW, pow_function);
11061121

1107-
if (Z_TYPE_P(op1) == IS_ARRAY) {
1108-
ZVAL_LONG(result, 0);
1109-
return SUCCESS;
1110-
} else {
1111-
zendi_convert_scalar_to_number(op1, op1_copy, result);
1112-
}
1113-
if (Z_TYPE_P(op2) == IS_ARRAY) {
1114-
ZVAL_LONG(result, 1L);
1115-
return SUCCESS;
1122+
if (EXPECTED(op1 != op2)) {
1123+
if (Z_TYPE_P(op1) == IS_ARRAY) {
1124+
ZVAL_LONG(result, 0);
1125+
return SUCCESS;
1126+
} else {
1127+
zendi_convert_scalar_to_number(op1, op1_copy, result);
1128+
}
1129+
if (Z_TYPE_P(op2) == IS_ARRAY) {
1130+
ZVAL_LONG(result, 1L);
1131+
return SUCCESS;
1132+
} else {
1133+
zendi_convert_scalar_to_number(op2, op2_copy, result);
1134+
}
11161135
} else {
1117-
zendi_convert_scalar_to_number(op2, op2_copy, result);
1136+
if (Z_TYPE_P(op1) == IS_ARRAY) {
1137+
ZVAL_LONG(result, 0);
1138+
return SUCCESS;
1139+
} else {
1140+
zendi_convert_scalar_to_number(op1, op1_copy, result);
1141+
}
1142+
op2 = op1;
11181143
}
11191144
converted = 1;
11201145
} else {
@@ -1178,9 +1203,13 @@ ZEND_API int ZEND_FASTCALL div_function(zval *result, zval *op1, zval *op2) /* {
11781203
op2 = Z_REFVAL_P(op2);
11791204
} else if (!converted) {
11801205
ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV, div_function);
1181-
1182-
zendi_convert_scalar_to_number(op1, op1_copy, result);
1183-
zendi_convert_scalar_to_number(op2, op2_copy, result);
1206+
if (EXPECTED(op1 != op2)) {
1207+
zendi_convert_scalar_to_number(op1, op1_copy, result);
1208+
zendi_convert_scalar_to_number(op2, op2_copy, result);
1209+
} else {
1210+
zendi_convert_scalar_to_number(op1, op1_copy, result);
1211+
op2 = op1;
1212+
}
11841213
converted = 1;
11851214
} else {
11861215
zend_throw_error(NULL, "Unsupported operand types");

0 commit comments

Comments
 (0)