diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2019-09-04 12:14:15 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2019-09-04 12:14:15 +0300 |
| commit | 8a393ec886918eed6e4e1c3fdb991a121ea5bc2b (patch) | |
| tree | ba30c079e2012d9fbf29f2410fcd66d8c37c3918 | |
| parent | 227f51683fc763dbe257478f251bbb600403c898 (diff) | |
| parent | d03d369fdbb45d87f97b31113c11d3e4c41404cd (diff) | |
| download | php-git-8a393ec886918eed6e4e1c3fdb991a121ea5bc2b.tar.gz | |
Merge branch 'PHP-7.4'
* PHP-7.4:
Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).
| -rw-r--r-- | ext/ffi/ffi.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c index 7d38281b03..c7124f5127 100644 --- a/ext/ffi/ffi.c +++ b/ext/ffi/ffi.c @@ -161,6 +161,9 @@ typedef struct _zend_ffi { #define ZEND_FFI_TYPE_MAKE_OWNED(t) \ ((zend_ffi_type*)(((uintptr_t)(t)) | ZEND_FFI_TYPE_OWNED)) +#define ZEND_FFI_SIZEOF_ARG \ + MAX(FFI_SIZEOF_ARG, sizeof(double)) + typedef struct _zend_ffi_cdata { zend_object std; zend_ffi_type *type; @@ -2582,12 +2585,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ arg_types = do_alloca( sizeof(ffi_type*) * EX_NUM_ARGS(), arg_types_use_heap); arg_values = do_alloca( - (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); + (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); n = 0; if (type->func.args) { ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) { arg_type = ZEND_FFI_TYPE(arg_type); - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); @@ -2597,7 +2600,7 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ } ZEND_HASH_FOREACH_END(); } for (; n < EX_NUM_ARGS(); n++) { - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_var_arg(EX_VAR_NUM(n), &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); @@ -2627,12 +2630,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ arg_types = do_alloca( (sizeof(ffi_type*) + sizeof(ffi_type)) * EX_NUM_ARGS(), arg_types_use_heap); arg_values = do_alloca( - (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); + (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); n = 0; if (type->func.args) { ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) { arg_type = ZEND_FFI_TYPE(arg_type); - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); |