diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 86275ac34a1..17bda3d65e2 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -3739,7 +3739,24 @@ PHP_FUNCTION(imageconvolution) } } } - res = gdImageConvolution(im_src, matrix, (float)div, (float)offset); + + if (UNEXPECTED(!zend_finite(div))) { + zend_argument_value_error(3, "must be finite"); + RETURN_THROWS(); + } + + float div_float = (float) div; + if (UNEXPECTED(div_float == 0.0f)) { + zend_argument_value_error(3, "must not be 0"); + RETURN_THROWS(); + } + + if (UNEXPECTED(!zend_finite(offset))) { + zend_argument_value_error(4, "must be finite"); + RETURN_THROWS(); + } + + res = gdImageConvolution(im_src, matrix, div_float, (float) offset); if (res) { RETURN_TRUE; diff --git a/ext/gd/tests/gh16255.phpt b/ext/gd/tests/gh16255.phpt new file mode 100644 index 00000000000..147dc5adf37 --- /dev/null +++ b/ext/gd/tests/gh16255.phpt @@ -0,0 +1,34 @@ +--TEST-- +GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c) +--EXTENSIONS-- +gd +--CREDITS-- +cmb69 +--FILE-- +getMessage(), "\n"; +} + +try { + imageconvolution($im, $matrix, 2.225E-307, 1.0); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} + +try { + imageconvolution($im, $matrix, 1, NAN); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} + +?> +--EXPECT-- +imageconvolution(): Argument #3 ($divisor) must be finite +imageconvolution(): Argument #3 ($divisor) must not be 0 +imageconvolution(): Argument #4 ($offset) must be finite diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c index d9db8726a22..7c610b6afac 100644 --- a/ext/opcache/jit/zend_jit_trace.c +++ b/ext/opcache/jit/zend_jit_trace.c @@ -8654,7 +8654,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf if (op->opcode == ZEND_FETCH_DIM_IS || op->opcode == ZEND_FETCH_OBJ_IS) { ZVAL_NULL(EX_VAR_NUM(i)); } else { - assert(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R); + ZEND_ASSERT(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R || op->opcode == ZEND_FETCH_DIM_FUNC_ARG || op->opcode == ZEND_FETCH_OBJ_FUNC_ARG); repeat_last_opline = 1; } } else { diff --git a/ext/opcache/tests/jit/gh17140_1.phpt b/ext/opcache/tests/jit/gh17140_1.phpt new file mode 100644 index 00000000000..a37277f69ba --- /dev/null +++ b/ext/opcache/tests/jit/gh17140_1.phpt @@ -0,0 +1,33 @@ +--TEST-- +GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG) +--EXTENSIONS-- +opcache +--INI-- +opcache.jit=1254 +opcache.jit_buffer_size=32M +opcache.jit_hot_func=1 +opcache.jit_hot_side_exit=1 +--FILE-- + +--EXPECTF-- +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined array key 0 in %s on line %d +NULL + +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined array key 0 in %s on line %d +NULL + +Warning: Undefined array key 0 in %s on line %d +NULL diff --git a/ext/opcache/tests/jit/gh17140_2.phpt b/ext/opcache/tests/jit/gh17140_2.phpt new file mode 100644 index 00000000000..9ef3177c75f --- /dev/null +++ b/ext/opcache/tests/jit/gh17140_2.phpt @@ -0,0 +1,40 @@ +--TEST-- +GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_OBJ_FUNC_ARG) +--EXTENSIONS-- +opcache +--INI-- +opcache.jit=1254 +opcache.jit_buffer_size=32M +opcache.jit_hot_func=1 +opcache.jit_hot_side_exit=1 +--FILE-- +b); + } +} +function test() { + $a['x'] = new X; + for ($fusion = 0; $i < 3; $i++) { + var_dump($a['x']->b); + } +} +test(); +?> +--EXPECTF-- +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined property: Foo\X::$b in %s on line %d +NULL + +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined property: Foo\X::$b in %s on line %d +NULL + +Warning: Undefined property: Foo\X::$b in %s on line %d +NULL