clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 18:07:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

JIT: Fix uninitialized result of ASSIGN_DIM[_OP] after clobbering array by user error handler

Browse Source 
Fixes oss-fuzz #41208
This commit is contained in:
Dmitry Stogov 2021-11-30 11:40:18 +03:00
parent 86430e8e01
commit 6e1fe96962
2 changed files with 44 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
ext/opcache/jit/zend_jit_helpers.c
View File

@ -673,6 +673,8 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
zend_ulong hval;
zend_string *offset_key;
zval *retval;
zend_execute_data *execute_data;
const zend_op *opline;
if (Z_TYPE_P(dim) == IS_REFERENCE) {
dim = Z_REFVAL_P(dim);
@ -686,9 +688,15 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
offset_key = Z_STR_P(dim);
goto str_index;
case IS_UNDEF:
if (!zend_jit_undefined_op_helper_write(ht, EG(current_execute_data)->opline->op2.var)) {
if (EG(exception)) {
undef_result_after_exception();
execute_data = EG(current_execute_data);
opline = EX(opline);
if (!zend_jit_undefined_op_helper_write(ht, opline->op2.var)) {
if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
if (EG(exception)) {
ZVAL_UNDEF(EX_VAR(opline->result.var));
} else {
ZVAL_NULL(EX_VAR(opline->result.var));
}
}
return NULL;
}
@ -760,6 +768,8 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
zend_ulong hval;
zend_string *offset_key;
zval *retval;
zend_execute_data *execute_data;
const zend_op *opline;
if (Z_TYPE_P(dim) == IS_REFERENCE) {
dim = Z_REFVAL_P(dim);
@ -773,9 +783,15 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
offset_key = Z_STR_P(dim);
goto str_index;
case IS_UNDEF:
if (!zend_jit_undefined_op_helper_write(ht, EG(current_execute_data)->opline->op2.var)) {
if (EG(exception)) {
undef_result_after_exception();
execute_data = EG(current_execute_data);
opline = EX(opline);
if (!zend_jit_undefined_op_helper_write(ht, opline->op2.var)) {
if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
if (EG(exception)) {
ZVAL_UNDEF(EX_VAR(opline->result.var));
} else {
ZVAL_NULL(EX_VAR(opline->result.var));
}
}
return NULL;
}

22
ext/opcache/tests/jit/assign_dim_005.phpt Normal file
View File

@ -0,0 +1,22 @@
--TEST--
JIT ASSIGN_DIM: 005
--INI--
opcache.enable=1
opcache.enable_cli=1
opcache.file_update_protection=0
opcache.jit_buffer_size=1M
--FILE--
<?php
set_error_handler(function ($code, $msg) {
echo "Error: $msg\n";
$GLOBALS['a'] = null;
});
$a[$c] =
$a[$c] = 'x' ;
var_dump($a);
?>
--EXPECT--
Error: Undefined variable $c
Error: Undefined variable $c
NULL