diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2015-12-21 15:57:53 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2015-12-21 15:57:53 +0300 |
| commit | 0402f05ba38ce0fd9a74d16193c668c8b46b55dd (patch) | |
| tree | 8f311cdea4bf3d73abdfe326f59f0fa281542a5e | |
| parent | 53bfb6618d13083b769014cbdcb845f787a7cf28 (diff) | |
| download | php-git-0402f05ba38ce0fd9a74d16193c668c8b46b55dd.tar.gz | |
Fixed possible crash on Zend/tests/bug71154.phpt
| -rw-r--r-- | Zend/zend_hash.c | 24 | ||||
| -rw-r--r-- | Zend/zend_hash.h | 1 | ||||
| -rw-r--r-- | Zend/zend_vm_def.h | 2 | ||||
| -rw-r--r-- | Zend/zend_vm_execute.h | 2 |
4 files changed, 27 insertions, 2 deletions
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c index 8192221c8e..d570a13446 100644 --- a/Zend/zend_hash.c +++ b/Zend/zend_hash.c @@ -386,6 +386,30 @@ ZEND_API HashPosition ZEND_FASTCALL zend_hash_iterator_pos(uint32_t idx, HashTab return iter->pos; } +ZEND_API HashPosition ZEND_FASTCALL zend_hash_iterator_pos_ex(uint32_t idx, zval *array) +{ + HashTable *ht = Z_ARRVAL_P(array); + HashTableIterator *iter = EG(ht_iterators) + idx; + + ZEND_ASSERT(idx != (uint32_t)-1); + if (iter->pos == HT_INVALID_IDX) { + return HT_INVALID_IDX; + } else if (UNEXPECTED(iter->ht != ht)) { + if (EXPECTED(iter->ht) && EXPECTED(iter->ht != HT_POISONED_PTR) + && EXPECTED(iter->ht->u.v.nIteratorsCount != 255)) { + iter->ht->u.v.nIteratorsCount--; + } + SEPARATE_ARRAY(array); + ht = Z_ARRVAL_P(array); + if (EXPECTED(ht->u.v.nIteratorsCount != 255)) { + ht->u.v.nIteratorsCount++; + } + iter->ht = ht; + iter->pos = ht->nInternalPointer; + } + return iter->pos; +} + ZEND_API void ZEND_FASTCALL zend_hash_iterator_del(uint32_t idx) { HashTableIterator *iter = EG(ht_iterators) + idx; diff --git a/Zend/zend_hash.h b/Zend/zend_hash.h index 9fe99ac919..b800bb5e76 100644 --- a/Zend/zend_hash.h +++ b/Zend/zend_hash.h @@ -225,6 +225,7 @@ ZEND_API int ZEND_FASTCALL _zend_handle_numeric_str_ex(const char *key, size_t l ZEND_API uint32_t ZEND_FASTCALL zend_hash_iterator_add(HashTable *ht, HashPosition pos); ZEND_API HashPosition ZEND_FASTCALL zend_hash_iterator_pos(uint32_t idx, HashTable *ht); +ZEND_API HashPosition ZEND_FASTCALL zend_hash_iterator_pos_ex(uint32_t idx, zval *array); ZEND_API void ZEND_FASTCALL zend_hash_iterator_del(uint32_t idx); ZEND_API HashPosition ZEND_FASTCALL zend_hash_iterators_lower_pos(HashTable *ht, HashPosition start); ZEND_API void ZEND_FASTCALL _zend_hash_iterators_update(HashTable *ht, HashPosition from, HashPosition to); diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index f02a0e8248..fd7aa92b0d 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -6182,8 +6182,8 @@ ZEND_VM_HANDLER(126, ZEND_FE_FETCH_RW, VAR, ANY) ZVAL_DEREF(array); if (EXPECTED(Z_TYPE_P(array) == IS_ARRAY)) { + pos = zend_hash_iterator_pos_ex(Z_FE_ITER_P(EX_VAR(opline->op1.var)), array); fe_ht = Z_ARRVAL_P(array); - pos = zend_hash_iterator_pos(Z_FE_ITER_P(EX_VAR(opline->op1.var)), fe_ht); p = fe_ht->arData + pos; while (1) { if (UNEXPECTED(pos >= fe_ht->nNumUsed)) { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 52a122c94a..d1814a037c 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -15957,8 +15957,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER(Z ZVAL_DEREF(array); if (EXPECTED(Z_TYPE_P(array) == IS_ARRAY)) { + pos = zend_hash_iterator_pos_ex(Z_FE_ITER_P(EX_VAR(opline->op1.var)), array); fe_ht = Z_ARRVAL_P(array); - pos = zend_hash_iterator_pos(Z_FE_ITER_P(EX_VAR(opline->op1.var)), fe_ht); p = fe_ht->arData + pos; while (1) { if (UNEXPECTED(pos >= fe_ht->nNumUsed)) { |