3807d63350
- fix zend_register_functions breaks reflection, php bug 66218 - fix Heap buffer over-read in DateInterval, php bug 66060 - fix fix overflow handling bug in non-x86
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 60d2e70c062e436a6c6cd3c8a17469a083a38b46 Mon Sep 17 00:00:00 2001
|
|
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
Date: Tue, 10 Dec 2013 12:07:46 +0100
|
|
Subject: [PATCH] Zend: fix overflow handling bug in non-x86
|
|
fast_add_function()
|
|
|
|
The 'result' argument of fast_add_function() may alias with either
|
|
of its operands (or both). Take care not to write to 'result' before
|
|
reading op1 and op2.
|
|
---
|
|
Zend/zend_operators.h | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h
|
|
index 0152e03..5c6fc86 100644
|
|
--- a/Zend/zend_operators.h
|
|
+++ b/Zend/zend_operators.h
|
|
@@ -640,13 +640,18 @@ static zend_always_inline int fast_add_function(zval *result, zval *op1, zval *o
|
|
"n"(ZVAL_OFFSETOF_TYPE)
|
|
: "rax","cc");
|
|
#else
|
|
- Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2);
|
|
+ /*
|
|
+ * 'result' may alias with op1 or op2, so we need to
|
|
+ * ensure that 'result' is not updated until after we
|
|
+ * have read the values of op1 and op2.
|
|
+ */
|
|
|
|
if (UNEXPECTED((Z_LVAL_P(op1) & LONG_SIGN_MASK) == (Z_LVAL_P(op2) & LONG_SIGN_MASK)
|
|
- && (Z_LVAL_P(op1) & LONG_SIGN_MASK) != (Z_LVAL_P(result) & LONG_SIGN_MASK))) {
|
|
+ && (Z_LVAL_P(op1) & LONG_SIGN_MASK) != ((Z_LVAL_P(op1) + Z_LVAL_P(op2)) & LONG_SIGN_MASK))) {
|
|
Z_DVAL_P(result) = (double) Z_LVAL_P(op1) + (double) Z_LVAL_P(op2);
|
|
Z_TYPE_P(result) = IS_DOUBLE;
|
|
} else {
|
|
+ Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2);
|
|
Z_TYPE_P(result) = IS_LONG;
|
|
}
|
|
#endif
|
|
--
|
|
1.8.4.3
|
|
|