Fixed possible crash

2026-03-31 04:32:19 +02:00 · 2019-02-12 11:21:09 +03:00
parent 62fd45f530
commit 7d4de1a77e
2 changed files with 23 additions and 1 deletions
--- a/ext/ffi/ffi.c
+++ b/ext/ffi/ffi.c
@@ -1138,10 +1138,16 @@ static void zend_ffi_cdata_write_dim(zval *object, zval *offset, zval *value) /*
 {
 	zend_ffi_cdata *cdata = (zend_ffi_cdata*)Z_OBJ_P(object);
 	zend_ffi_type  *type = ZEND_FFI_TYPE(cdata->type);
-	zend_long       dim = zval_get_long(offset);
+	zend_long       dim;
 	void           *ptr;
 	zend_ffi_flags  is_const;

+	if (offset == NULL) {
+		zend_throw_error(zend_ffi_exception_ce, "Cannot add next element to object of type FFI\\CData");
+		return;
+	}
+	
+	dim = zval_get_long(offset);
 	if (EXPECTED(type->kind == ZEND_FFI_TYPE_ARRAY)) {
 		if (UNEXPECTED((zend_ulong)(dim) >= (zend_ulong)type->array.length)
 		 && (UNEXPECTED(dim < 0) || UNEXPECTED(type->array.length != 0))) {
--- a/ext/ffi/tests/042.phpt
+++ b/ext/ffi/tests/042.phpt
@@ -0,0 +1,16 @@
+--TEST--
+FFI 042: Next array element
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+$a = FFI::new("uint8_t[8]");
+$a[] = 0;
+?>
+--EXPECTF--
+Fatal error: Uncaught FFI\Exception: Cannot add next element to object of type FFI\CData in %sext/ffi/tests/042.php:3
+Stack trace:
+#0 {main}
+  thrown in %sext/ffi/tests/042.php on line 3