mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 18:04:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).

Browse Source
This commit is contained in:
Dmitry Stogov 2019-09-04 12:13:49 +03:00
parent 94e2f25f07
commit 1db0bad6a7
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -2,6 +2,9 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 7.4.0RC2
- FFI:
. Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)). (Dmitry)
- Opcache:
. Add opcache.preload_user INI directive. (Dmitry)

13
ext/ffi/ffi.c
View File

@ -160,6 +160,9 @@ typedef struct _zend_ffi {
#define ZEND_FFI_TYPE_MAKE_OWNED(t) \
((zend_ffi_type*)(((uintptr_t)(t)) | ZEND_FFI_TYPE_OWNED))
#define ZEND_FFI_SIZEOF_ARG \
MAX(FFI_SIZEOF_ARG, sizeof(double))
typedef struct _zend_ffi_cdata {
zend_object std;
zend_ffi_type *type;
@ -2614,12 +2617,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
arg_types = do_alloca(
sizeof(ffi_type*) * EX_NUM_ARGS(), arg_types_use_heap);
arg_values = do_alloca(
(sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
(sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
n = 0;
if (type->func.args) {
ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
arg_type = ZEND_FFI_TYPE(arg_type);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
free_alloca(arg_types, arg_types_use_heap);
free_alloca(arg_values, arg_values_use_heap);
@ -2629,7 +2632,7 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
} ZEND_HASH_FOREACH_END();
}
for (; n < EX_NUM_ARGS(); n++) {
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
if (zend_ffi_pass_var_arg(EX_VAR_NUM(n), &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
free_alloca(arg_types, arg_types_use_heap);
free_alloca(arg_values, arg_values_use_heap);
@ -2659,12 +2662,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
arg_types = do_alloca(
(sizeof(ffi_type*) + sizeof(ffi_type)) * EX_NUM_ARGS(), arg_types_use_heap);
arg_values = do_alloca(
(sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
(sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
n = 0;
if (type->func.args) {
ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
arg_type = ZEND_FFI_TYPE(arg_type);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
free_alloca(arg_types, arg_types_use_heap);
free_alloca(arg_values, arg_values_use_heap);