Fix is_zend_ptr() huge block comparison

We should compare the block memory, not the block metadata (See zend_mm_add_huge_block). This caused random test failure for ext/ffi/tests/gh14626.phpt when the malloc() performed by the FFI code lies close to the block metadata, and the size of the block is large enough. This was reported by https://github.com/php/php-src/issues/16902#issuecomment-2498310452 Closes GH-16938.
2026-03-24 00:02:20 +01:00 · 2024-11-25 21:24:38 +01:00
parent d1b9d7ee83
commit 18674e39ad
2 changed files with 3 additions and 2 deletions
--- a/1
+++ b/1
@@ -14,6 +14,7 @@ PHP                                                                        NEWS
    (nielsdos)
  . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
    (nielsdos)
+  . Fix is_zend_ptr() huge block comparison. (nielsdos)

 - FPM:
  . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
--- a/Zend/zend_alloc.c
+++ b/Zend/zend_alloc.c
@@ -2457,8 +2457,8 @@ ZEND_API bool is_zend_ptr(const void *ptr)

 	zend_mm_huge_list *block = AG(mm_heap)->huge_list;
 	while (block) {
-		if (ptr >= (void*)block
-				&& ptr < (void*)((char*)block + block->size)) {
+		if (ptr >= block->ptr
+				&& ptr < (void*)((char*)block->ptr + block->size)) {
 			return 1;
 		}
 		block = block->next;