diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/ffi/ffi.c | 13 |
2 files changed, 11 insertions, 5 deletions
@@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 7.4.0RC2 +- FFI: + . Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)). (Dmitry) + - Opcache: . Add opcache.preload_user INI directive. (Dmitry) diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c index 552d168fd6..81c34071a3 100644 --- a/ext/ffi/ffi.c +++ b/ext/ffi/ffi.c @@ -160,6 +160,9 @@ typedef struct _zend_ffi { #define ZEND_FFI_TYPE_MAKE_OWNED(t) \ ((zend_ffi_type*)(((uintptr_t)(t)) | ZEND_FFI_TYPE_OWNED)) +#define ZEND_FFI_SIZEOF_ARG \ + MAX(FFI_SIZEOF_ARG, sizeof(double)) + typedef struct _zend_ffi_cdata { zend_object std; zend_ffi_type *type; @@ -2614,12 +2617,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ arg_types = do_alloca( sizeof(ffi_type*) * EX_NUM_ARGS(), arg_types_use_heap); arg_values = do_alloca( - (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); + (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); n = 0; if (type->func.args) { ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) { arg_type = ZEND_FFI_TYPE(arg_type); - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); @@ -2629,7 +2632,7 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ } ZEND_HASH_FOREACH_END(); } for (; n < EX_NUM_ARGS(); n++) { - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_var_arg(EX_VAR_NUM(n), &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); @@ -2659,12 +2662,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ arg_types = do_alloca( (sizeof(ffi_type*) + sizeof(ffi_type)) * EX_NUM_ARGS(), arg_types_use_heap); arg_values = do_alloca( - (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); + (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); n = 0; if (type->func.args) { ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) { arg_type = ZEND_FFI_TYPE(arg_type); - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); |