php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix compiler segfault during call compilation (#20054)

Browse Source 
Happens due to changes in 28fd7597ba where the opline opcode may be
accessed after the opcode array has been reallocated.
To solve this we store the opcode in a temporary variable.
This commit is contained in:
Niels Dossche
2025-10-03 22:30:07 +02:00
committed by GitHub
parent d2fcf04b64
commit 969e837d5b
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Zend/zend_compile.c
View File

@@ -3956,19 +3956,21 @@ static bool zend_compile_call_common(znode *result, zend_ast *args_ast, zend_fun
if (args_ast->kind == ZEND_AST_CALLABLE_CONVERT) {
opline = &CG(active_op_array)->opcodes[opnum_init];
opline->extended_value = 0;
/* opcode array may be reallocated, so don't access opcode field after zend_emit_op_tmp(). */
uint8_t opcode = opline->opcode;
if (opline->opcode == ZEND_NEW) {
if (opcode == ZEND_NEW) {
zend_error_noreturn(E_COMPILE_ERROR, "Cannot create Closure for new expression");
}
if (opline->opcode == ZEND_INIT_FCALL) {
if (opcode == ZEND_INIT_FCALL) {
opline->op1.num = zend_vm_calc_used_stack(0, fbc);
}
zend_op *callable_convert_op = zend_emit_op_tmp(result, ZEND_CALLABLE_CONVERT, NULL, NULL);
if (opline->opcode == ZEND_INIT_FCALL
|| opline->opcode == ZEND_INIT_FCALL_BY_NAME
|| opline->opcode == ZEND_INIT_NS_FCALL_BY_NAME) {
if (opcode == ZEND_INIT_FCALL
|| opcode == ZEND_INIT_FCALL_BY_NAME
|| opcode == ZEND_INIT_NS_FCALL_BY_NAME) {
callable_convert_op->extended_value = zend_alloc_cache_slot();
} else {
callable_convert_op->extended_value = (uint32_t)-1;