diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2020-09-03 17:10:34 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-09-03 17:12:40 +0200 |
commit | 46a49be6c866103ebcb95e03b2b96460bec16b7b (patch) | |
tree | 041cc0d12717549d9f7477cac6ba33e029b7f70d | |
parent | 1848ccdae2b9fbdfbbe8de56f8eda8b8869c825e (diff) | |
download | php-git-46a49be6c866103ebcb95e03b2b96460bec16b7b.tar.gz |
Fixed bug #80049
Type checking may convert to refcounted values, so force freeing
of extra args.
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | Zend/tests/bug80049.phpt | 14 | ||||
-rw-r--r-- | Zend/zend_vm_def.h | 1 | ||||
-rw-r--r-- | Zend/zend_vm_execute.h | 1 |
4 files changed, 18 insertions, 0 deletions
@@ -4,6 +4,8 @@ PHP NEWS - Core: . Fixed bug #80048 (Bug #69100 has not been fixed for Windows). (cmb) + . Fixed bug #80049 (Memleak when coercing integers to string via variadic + argument). (Nikita) - Calendar: . Fixed bug #80007 (Potential type confusion in unixtojd() parameter parsing). diff --git a/Zend/tests/bug80049.phpt b/Zend/tests/bug80049.phpt new file mode 100644 index 0000000000..852b71feaa --- /dev/null +++ b/Zend/tests/bug80049.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #80049: Memleak when coercing integers to string via variadic argument +--FILE-- +<?php +function coerceToString(string ...$strings) { + var_dump($strings); +} +coerceToString(...[123]); +?> +--EXPECT-- +array(1) { + [0]=> + string(3) "123" +} diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 70e33039da..6f9aca4b55 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -4819,6 +4819,7 @@ ZEND_VM_HANDLER(164, ZEND_RECV_VARIADIC, NUM, UNUSED|CACHE_SLOT) ZEND_HASH_FILL_PACKED(Z_ARRVAL_P(params)) { param = EX_VAR_NUM(EX(func)->op_array.last_var + EX(func)->op_array.T); if (UNEXPECTED((EX(func)->op_array.fn_flags & ZEND_ACC_HAS_TYPE_HINTS) != 0)) { + ZEND_ADD_CALL_FLAG(execute_data, ZEND_CALL_FREE_EXTRA_ARGS); do { zend_verify_arg_type(EX(func), arg_num, param, NULL, CACHE_ADDR(opline->op2.num)); if (Z_OPT_REFCOUNTED_P(param)) Z_ADDREF_P(param); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 9d7515e9d0..e5e5a9e1da 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -2375,6 +2375,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RECV_VARIADIC_SPEC_UNUSED_HAND ZEND_HASH_FILL_PACKED(Z_ARRVAL_P(params)) { param = EX_VAR_NUM(EX(func)->op_array.last_var + EX(func)->op_array.T); if (UNEXPECTED((EX(func)->op_array.fn_flags & ZEND_ACC_HAS_TYPE_HINTS) != 0)) { + ZEND_ADD_CALL_FLAG(execute_data, ZEND_CALL_FREE_EXTRA_ARGS); do { zend_verify_arg_type(EX(func), arg_num, param, NULL, CACHE_ADDR(opline->op2.num)); if (Z_OPT_REFCOUNTED_P(param)) Z_ADDREF_P(param); |