summaryrefslogtreecommitdiff
path: root/ext/opcache/jit/zend_jit_trace.c
diff options
context:
space:
mode:
authorDmitry Stogov <dmitry@zend.com>2020-08-26 01:07:34 +0300
committerDmitry Stogov <dmitry@zend.com>2020-08-26 01:07:34 +0300
commit5948a6674a8a338c6834bc0a53d49ce0d91810af (patch)
treec440b7edb8d01c4262865cbb364b3f27451f2b23 /ext/opcache/jit/zend_jit_trace.c
parent145aba5c83032308908c970ee38b00efac938329 (diff)
downloadphp-git-5948a6674a8a338c6834bc0a53d49ce0d91810af.tar.gz
Prevent negative array index access
Diffstat (limited to 'ext/opcache/jit/zend_jit_trace.c')
-rw-r--r--ext/opcache/jit/zend_jit_trace.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index 3d6a7dd07c..483b94c476 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -4020,8 +4020,11 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
op2_info = OP2_INFO();
CHECK_OP2_TRACE_TYPE();
res_info = RES_INFO();
+ avoid_refcounting =
+ ssa_op->op1_use >= 0 &&
+ ssa->var_info[ssa_op->op1_use].avoid_refcounting;
if (!zend_jit_fetch_dim_read(&dasm_state, opline, ssa, ssa_op,
- op1_info, op1_addr, ssa->var_info[ssa_op->op1_use].avoid_refcounting,
+ op1_info, op1_addr, avoid_refcounting,
op2_info, res_info, RES_REG_ADDR(),
(
(op1_info & MAY_BE_ANY) != MAY_BE_ARRAY ||
@@ -4063,7 +4066,8 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
if (ra) {
zend_jit_trace_clenup_stack(stack, opline, ssa_op, ssa, ra);
}
- if (ssa->var_info[ssa_op->op1_use].avoid_refcounting) {
+ if (ssa_op->op1_use >= 0
+ && ssa->var_info[ssa_op->op1_use].avoid_refcounting) {
/* Temporary reset ZREG_ZVAL_TRY_ADDREF */
zend_jit_trace_stack *stack = JIT_G(current_frame)->stack;
uint32_t old_info = STACK_INFO(stack, EX_VAR_TO_NUM(opline->op1.var));
@@ -4083,8 +4087,11 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
smart_branch_opcode = 0;
exit_addr = NULL;
}
+ avoid_refcounting =
+ ssa_op->op1_use >= 0 &&
+ ssa->var_info[ssa_op->op1_use].avoid_refcounting;
if (!zend_jit_isset_isempty_dim(&dasm_state, opline,
- op1_info, op1_addr, ssa->var_info[ssa_op->op1_use].avoid_refcounting,
+ op1_info, op1_addr, avoid_refcounting,
op2_info,
zend_may_throw_ex(opline, ssa_op, op_array, ssa, op1_info, op2_info),
smart_branch_opcode, -1, -1,