diff options
| author | Xinchen Hui <laruence@gmail.com> | 2017-02-12 20:34:08 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2017-02-12 20:34:08 +0800 |
| commit | 26fdebc63b642417820017e550d46c1b1f773504 (patch) | |
| tree | 7471bfb4495530c0f1efca616d9ecb78ea4bc0d2 /Zend/zend_operators.c | |
| parent | 01c1afa79f614fe8376e73f4e73f392160923745 (diff) | |
| download | php-git-26fdebc63b642417820017e550d46c1b1f773504.tar.gz | |
Fixed bug #74084 (Out of bound read - zend_mm_alloc_small)
Diffstat (limited to 'Zend/zend_operators.c')
| -rw-r--r-- | Zend/zend_operators.c | 67 |
1 files changed, 48 insertions, 19 deletions
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c index 07e635e495..3a8929b83f 100644 --- a/Zend/zend_operators.c +++ b/Zend/zend_operators.c @@ -926,8 +926,13 @@ ZEND_API int ZEND_FASTCALL add_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_ADD, add_function); - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); @@ -979,8 +984,13 @@ ZEND_API int ZEND_FASTCALL sub_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_SUB, sub_function); - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); @@ -1026,8 +1036,13 @@ ZEND_API int ZEND_FASTCALL mul_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_MUL, mul_function); - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); @@ -1104,17 +1119,27 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* { } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_POW, pow_function); - if (Z_TYPE_P(op1) == IS_ARRAY) { - ZVAL_LONG(result, 0); - return SUCCESS; - } else { - zendi_convert_scalar_to_number(op1, op1_copy, result); - } - if (Z_TYPE_P(op2) == IS_ARRAY) { - ZVAL_LONG(result, 1L); - return SUCCESS; + if (EXPECTED(op1 != op2)) { + if (Z_TYPE_P(op1) == IS_ARRAY) { + ZVAL_LONG(result, 0); + return SUCCESS; + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + } + if (Z_TYPE_P(op2) == IS_ARRAY) { + ZVAL_LONG(result, 1L); + return SUCCESS; + } else { + zendi_convert_scalar_to_number(op2, op2_copy, result); + } } else { - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (Z_TYPE_P(op1) == IS_ARRAY) { + ZVAL_LONG(result, 0); + return SUCCESS; + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + } + op2 = op1; } converted = 1; } else { @@ -1178,9 +1203,13 @@ ZEND_API int ZEND_FASTCALL div_function(zval *result, zval *op1, zval *op2) /* { op2 = Z_REFVAL_P(op2); } else if (!converted) { ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV, div_function); - - zendi_convert_scalar_to_number(op1, op1_copy, result); - zendi_convert_scalar_to_number(op2, op2_copy, result); + if (EXPECTED(op1 != op2)) { + zendi_convert_scalar_to_number(op1, op1_copy, result); + zendi_convert_scalar_to_number(op2, op2_copy, result); + } else { + zendi_convert_scalar_to_number(op1, op1_copy, result); + op2 = op1; + } converted = 1; } else { zend_throw_error(NULL, "Unsupported operand types"); |