Commit 6eb3fae

iluuu1994 iluuu1994

committed

Fix use-of-uninitialized-value in zend_get_arg_offset_by_name()

Don't access fbc->op_array.refcount on internal function. Don't attempt to cache ZEND_ACC_USER_ARG_INFO at all, which is only used in zend_get_closure_invoke_method(). This may reuse arg_info from a temporary closure, and hence caching would also be unsafe. Also avoid populating the cache slot for variadic parameters, where the ZEND_ACC_USER_ARG_INFO is set for the same reason. Closes GH-19856

1 parent 75217c1 commit 6eb3faeCopy full SHA for 6eb3fae

File tree

1 file changed

-3

lines changed

Zend
- zend_execute.c

1 file changed

-3

lines changed

`‎Zend/zend_execute.c‎`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -5072,9 +5072,9 @@ static zend_always_inline uint32_t zend_get_arg_offset_by_name(`
`5072`	`5072`	`if (EXPECTED(fbc->type == ZEND_USER_FUNCTION)`
`5073`	`5073`	`\|\| EXPECTED(fbc->common.fn_flags & ZEND_ACC_USER_ARG_INFO)) {`
`5074`	`5074`	`for (uint32_t i = 0; i < num_args; i++) {`
`5075`		`- zend_arg_info *arg_info = &fbc->op_array.arg_info[i];`
	`5075`	`+ zend_arg_info *arg_info = &fbc->common.arg_info[i];`
`5076`	`5076`	`if (zend_string_equals(arg_name, arg_info->name)) {`
`5077`		`- if (!fbc->op_array.refcount \|\| !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)) {`
	`5077`	`+ if (fbc->type==ZEND_USER_FUNCTION&& (!fbc->op_array.refcount \|\| !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE))) {`
`5078`	`5078`	`*cache_slot = unique_id;`
`5079`	`5079`	`(uintptr_t )(cache_slot + 1) = i;`
`5080`	`5080`	`}`
`@@ -5094,7 +5094,10 @@ static zend_always_inline uint32_t zend_get_arg_offset_by_name(`
`5094`	`5094`	`}`
`5095`	`5095`
`5096`	`5096`	`if (fbc->common.fn_flags & ZEND_ACC_VARIADIC) {`
`5097`		`- if (fbc->type == ZEND_INTERNAL_FUNCTION \|\| !fbc->op_array.refcount \|\| !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)) {`
	`5097`	`+ if ((fbc->type == ZEND_USER_FUNCTION`
	`5098`	`+ && (!fbc->op_array.refcount \|\| !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)))`
	`5099`	`+ \|\| (fbc->type == ZEND_INTERNAL_FUNCTION`
	`5100`	`+ && !(fbc->common.fn_flags & ZEND_ACC_USER_ARG_INFO))) {`
`5098`	`5101`	`*cache_slot = unique_id;`
`5099`	`5102`	`(uintptr_t )(cache_slot + 1) = fbc->common.num_args;`
`5100`	`5103`	`}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 6eb3fae

File tree

1 file changed

1 file changed

`‎Zend/zend_execute.c‎`

0 commit comments