diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2017-03-07 13:16:06 +0100 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2017-03-07 13:16:06 +0100 |
| commit | 549a30d2cd7756abc5f5116dfebe217098ade5c5 (patch) | |
| tree | 231be576fc26f12a94cf6c4f01bb0e57ff1133cb | |
| parent | 648b756f35fdfc1948126ce954a3f7d6bd479ba5 (diff) | |
| download | php-git-549a30d2cd7756abc5f5116dfebe217098ade5c5.tar.gz | |
Fix out of bounds access in gc_find_additional_buffer()
| -rw-r--r-- | Zend/zend_gc.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c index 0b9ce8ccc5..badbf34c3d 100644 --- a/Zend/zend_gc.c +++ b/Zend/zend_gc.c @@ -275,9 +275,12 @@ static zend_always_inline gc_root_buffer* gc_find_additional_buffer(zend_refcoun /* We have to check each additional_buffer to find which one holds the ref */ while (additional_buffer) { - gc_root_buffer *root = additional_buffer->buf + (GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES); - if (root->ref == ref) { - return root; + uint32_t idx = GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES; + if (idx < additional_buffer->used) { + gc_root_buffer *root = additional_buffer->buf + idx; + if (root->ref == ref) { + return root; + } } additional_buffer = additional_buffer->next; } |