php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-30 04:02:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-7.4'

Browse Source 
* PHP-7.4:
  Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).
This commit is contained in:
Dmitry Stogov
2019-09-04 12:14:15 +03:00
parent 227f51683f d03d369fdb
commit 8a393ec886
1 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ext/ffi/ffi.c
View File

@@ -161,6 +161,9 @@ typedef struct _zend_ffi {
#define ZEND_FFI_TYPE_MAKE_OWNED(t) \
((zend_ffi_type*)(((uintptr_t)(t)) | ZEND_FFI_TYPE_OWNED))
#define ZEND_FFI_SIZEOF_ARG \
MAX(FFI_SIZEOF_ARG, sizeof(double))
typedef struct _zend_ffi_cdata {
zend_object std;
zend_ffi_type *type;
@@ -2582,12 +2585,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
arg_types = do_alloca(
sizeof(ffi_type*) * EX_NUM_ARGS(), arg_types_use_heap);
arg_values = do_alloca(
(sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
(sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
n = 0;
if (type->func.args) {
ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
arg_type = ZEND_FFI_TYPE(arg_type);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
free_alloca(arg_types, arg_types_use_heap);
free_alloca(arg_values, arg_values_use_heap);
@@ -2597,7 +2600,7 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
} ZEND_HASH_FOREACH_END();
}
for (; n < EX_NUM_ARGS(); n++) {
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
if (zend_ffi_pass_var_arg(EX_VAR_NUM(n), &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
free_alloca(arg_types, arg_types_use_heap);
free_alloca(arg_values, arg_values_use_heap);
@@ -2627,12 +2630,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
arg_types = do_alloca(
(sizeof(ffi_type*) + sizeof(ffi_type)) * EX_NUM_ARGS(), arg_types_use_heap);
arg_values = do_alloca(
(sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
(sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
n = 0;
if (type->func.args) {
ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
arg_type = ZEND_FFI_TYPE(arg_type);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
free_alloca(arg_types, arg_types_use_heap);
free_alloca(arg_values, arg_values_use_heap);