Skip to content

Commit 7892a0e

Browse files
dstogovdstogov
authored
Fix GH-16913: 8.4 function JIT memory corruption (#16943)
with '#' will be ignored, and an empty message aborts the commit.
1 parent c310be0 commit 7892a0e

File tree

1 file changed

+35
-2
lines changed

1 file changed

+35
-2
lines changed

ext/opcache/jit/zend_jit_ir.c

Lines changed: 35 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11523,6 +11523,32 @@ static int zend_jit_rope(zend_jit_ctx *jit, const zend_op *opline, uint32_t op2_
1152311523
return 1;
1152411524
}
1152511525

11526+
static int zend_jit_zval_copy_deref_reg(zend_jit_ctx *jit, zend_jit_addr res_addr, uint32_t res_info, zend_jit_addr val_addr, ir_ref type, ir_ref *values)
11527+
{
11528+
ir_ref if_type, val;
11529+
11530+
if (res_info == MAY_BE_LONG) {
11531+
if_type = ir_IF(ir_EQ(type, ir_CONST_U32(IS_LONG)));
11532+
ir_IF_TRUE(if_type);
11533+
val = jit_ZVAL_ADDR(jit, val_addr);
11534+
ir_END_PHI_list(*values, val);
11535+
ir_IF_FALSE(if_type);
11536+
val = ir_ADD_OFFSET(jit_Z_PTR(jit, val_addr), offsetof(zend_reference, val));
11537+
ir_END_PHI_list(*values, val);
11538+
} else if (res_info == MAY_BE_DOUBLE) {
11539+
if_type = ir_IF(ir_EQ(type, ir_CONST_U32(IS_DOUBLE)));
11540+
ir_IF_TRUE(if_type);
11541+
val = jit_ZVAL_ADDR(jit, val_addr);
11542+
ir_END_PHI_list(*values, val);
11543+
ir_IF_FALSE(if_type);
11544+
val = ir_ADD_OFFSET(jit_Z_PTR(jit, val_addr), offsetof(zend_reference, val));
11545+
ir_END_PHI_list(*values, val);
11546+
} else {
11547+
ZEND_UNREACHABLE();
11548+
}
11549+
return 1;
11550+
}
11551+
1152611552
static int zend_jit_zval_copy_deref(zend_jit_ctx *jit, zend_jit_addr res_addr, zend_jit_addr val_addr, ir_ref type)
1152711553
{
1152811554
ir_ref if_refcounted, if_reference, if_refcounted2, ptr, val2, ptr2, type2;
@@ -14253,9 +14279,16 @@ static int zend_jit_fetch_obj(zend_jit_ctx *jit,
1425314279
}
1425414280
ir_END_list(end_inputs);
1425514281
} else {
14256-
if (((res_info & MAY_BE_GUARD) && JIT_G(current_frame) && prop_info)
14257-
|| Z_MODE(res_addr) == IS_REG) {
14282+
if ((res_info & MAY_BE_GUARD) && JIT_G(current_frame) && prop_info) {
1425814283
ir_END_PHI_list(end_values, jit_ZVAL_ADDR(jit, prop_addr));
14284+
} else if ((res_info & MAY_BE_GUARD) && Z_MODE(res_addr) == IS_REG) {
14285+
ir_END_PHI_list(end_values, jit_ZVAL_ADDR(jit, prop_addr));
14286+
} else if (Z_MODE(res_addr) == IS_REG) {
14287+
prop_type_ref = jit_Z_TYPE_INFO(jit, prop_addr);
14288+
14289+
if (!zend_jit_zval_copy_deref_reg(jit, res_addr, res_info & ~MAY_BE_GUARD, prop_addr, prop_type_ref, &end_values)) {
14290+
return 0;
14291+
}
1425914292
} else {
1426014293
prop_type_ref = jit_Z_TYPE_INFO(jit, prop_addr);
1426114294

0 commit comments

Comments
 (0)