Fix uninitialized run-time cache when resolving named param defaults

Fixes oss-fuzz #25676.
This commit is contained in:
Nikita Popov 2020-09-15 16:08:14 +02:00
parent 3c53732332
commit 7e61c2edd8
2 changed files with 21 additions and 0 deletions

View File

@ -0,0 +1,17 @@
--TEST--
Uninitialized run-time cache when resolving default values
--FILE--
<?php
class Test {
public static function method($a = FOO, $b = 1) {
echo "a = $a, b = $b\n";
}
}
define('FOO', 42);
call_user_func(['Test', 'method'], b: 0);
?>
--EXPECT--
a = 42, b = 0

View File

@ -4464,6 +4464,10 @@ ZEND_API zend_result ZEND_FASTCALL zend_handle_undef_args(zend_execute_data *cal
if (EXPECTED(opline->opcode == ZEND_RECV_INIT)) {
zval *default_value = RT_CONSTANT(opline, opline->op2);
if (Z_OPT_TYPE_P(default_value) == IS_CONSTANT_AST) {
if (UNEXPECTED(!RUN_TIME_CACHE(op_array))) {
init_func_run_time_cache(op_array);
}
void *run_time_cache = RUN_TIME_CACHE(op_array);
zval *cache_val =
(zval *) ((char *) run_time_cache + Z_CACHE_SLOT_P(default_value));