diff options
| author | Xinchen Hui <laruence@gmail.com> | 2017-02-12 20:34:08 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2017-02-12 20:34:08 +0800 |
| commit | 26fdebc63b642417820017e550d46c1b1f773504 (patch) | |
| tree | 7471bfb4495530c0f1efca616d9ecb78ea4bc0d2 | |
| parent | 01c1afa79f614fe8376e73f4e73f392160923745 (diff) | |
| download | php-git-26fdebc63b642417820017e550d46c1b1f773504.tar.gz | |
Fixed bug #74084 (Out of bound read - zend_mm_alloc_small)
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/tests/bug74084.phpt | 19 | ||||
| -rw-r--r-- | Zend/zend_operators.c | 67 |
3 files changed, 68 insertions, 19 deletions
@@ -3,6 +3,7 @@ PHP NEWS ?? ??? 2017 PHP 7.0.17 - Core: + . Fixed bug #74084 (Out of bound read - zend_mm_alloc_small). (Laruence) . Fixed bug #73807 (Performance problem with processing large post request). (Nikita) . Fixed bug #73998 (array_key_exists fails on arrays created by diff --git a/Zend/tests/bug74084.phpt b/Zend/tests/bug74084.phpt new file mode 100644 index 0000000000..b27bbb4647 --- /dev/null +++ b/Zend/tests/bug74084.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #74084 (Out of bound read - zend_mm_alloc_small) +--INI-- +error_reporting=0 +--FILE-- +<?php +$$A += $$B->a = &$$C; +unset($$A); +$$A -= $$B->a = &$$C; +unset($$A); +$$A *= $$B->a = &$$C; +unset($$A); +$$A /= $$B->a = &$$C; +unset($$A); +$$A **= $$B->a = &$$C; +var_dump($$A); +?> +--EXPECT-- +int(1) diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c index 07e635e495..3a8929b83f 100644 --- a/Zend/zend_operators.c +++ b/Zend/zend_operators.c @@ -926,8 +926,13 @@ ZEND_API int ZEND_FASTCALL add_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_ADD, add_function); - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); @@ -979,8 +984,13 @@ ZEND_API int ZEND_FASTCALL sub_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_SUB, sub_function); - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); @@ -1026,8 +1036,13 @@ ZEND_API int ZEND_FASTCALL mul_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_MUL, mul_function); - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); @@ -1104,17 +1119,27 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_POW, pow_function); - if (Z_TYPE_P(op1) == IS_ARRAY) { - ZVAL_LONG(result, 0); - return SUCCESS; - } else { - zendi_convert_scalar_to_number(op1, op1_copy, result); - } - if (Z_TYPE_P(op2) == IS_ARRAY) { - ZVAL_LONG(result, 1L); - return SUCCESS; + if (EXPECTED(op1 != op2)) { + if (Z_TYPE_P(op1) == IS_ARRAY) { + ZVAL_LONG(result, 0); + return SUCCESS; + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + } + if (Z_TYPE_P(op2) == IS_ARRAY) { + ZVAL_LONG(result, 1L); + return SUCCESS; + } else { + zendi_convert_scalar_to_number(op2, op2_copy, result); + } } else { - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (Z_TYPE_P(op1) == IS_ARRAY) { + ZVAL_LONG(result, 0); + return SUCCESS; + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + } + op2 = op1; } converted = 1; } else { @@ -1178,9 +1203,13 @@ ZEND_API int ZEND_FASTCALL div_function(zval *result, zval *op1, zval *op2) /* { op2 = Z_REFVAL_P(op2); } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV, div_function); - - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); |