clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 09:57:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix arsort() crash on recursion

Browse Source 
Fixes oss-fuzz #46315
This commit is contained in:
Dmitry Stogov 2022-04-04 12:03:39 +03:00
parent e4c7ffc152
commit 14fddd17df
2 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Zend/tests/bug63882_2.phpt Normal file
View File

@ -0,0 +1,23 @@
--TEST--
Bug #63882_2 (arsort crash on recursion)
--FILE--
<?php
$token = array();
$conditions = array();
for ($i = 0; $i <= 2; $i++) {
$tokens = $conditions;
$a[0] =& $a;
$a = unserialize(serialize($GLOBALS));
$a[0] =& $a;
$a = unserialize(serialize($GLOBALS));
$a[0] =& $a;
foreach($a as $v) {
if ($v == 1) {
arsort($a);
}
}
}
?>
DONE
--EXPECT--
DONE

10
Zend/zend_hash.c
View File

@ -2551,6 +2551,16 @@ ZEND_API void ZEND_FASTCALL zend_hash_sort_ex(HashTable *ht, sort_func_t sort, b
ht->nNumUsed = i;
}
if (!(HT_FLAGS(ht) & HASH_FLAG_PACKED)) {
/* We broke the hash colisions chains overriding Z_NEXT() by Z_EXTRA().
* Reset the hash headers table as well to avoid possilbe inconsistent
* access on recursive data structures.
*
* See Zend/tests/bug63882_2.phpt
*/
HT_HASH_RESET(ht);
}
sort((void *)ht->arData, ht->nNumUsed, sizeof(Bucket), (compare_func_t) compar,
(swap_func_t)(renumber? zend_hash_bucket_renum_swap :
((HT_FLAGS(ht) & HASH_FLAG_PACKED) ? zend_hash_bucket_packed_swap : zend_hash_bucket_swap)));