Skip to content

Commit c489e36

Browse files
committed
JIT: Fix array clobbering by user error handler
Fixes oss-fuzz #46336
1 parent c0bb238 commit c489e36

File tree

3 files changed

+391
-9
lines changed

3 files changed

+391
-9
lines changed

Zend/zend_vm_def.h

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2534,7 +2534,18 @@ ZEND_VM_HANDLER(23, ZEND_ASSIGN_DIM, VAR|CV, CONST|TMPVAR|UNUSED|NEXT|CV, SPEC(O
25342534
ZEND_VM_C_LABEL(try_assign_dim_array):
25352535
SEPARATE_ARRAY(object_ptr);
25362536
if (OP2_TYPE == IS_UNUSED) {
2537-
value = GET_OP_DATA_ZVAL_PTR(BP_VAR_R);
2537+
value = GET_OP_DATA_ZVAL_PTR_UNDEF(BP_VAR_R);
2538+
if (OP_DATA_TYPE == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
2539+
HashTable *ht = Z_ARRVAL_P(object_ptr);
2540+
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
2541+
GC_ADDREF(ht);
2542+
}
2543+
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
2544+
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
2545+
zend_array_destroy(ht);
2546+
ZEND_VM_C_GOTO(assign_dim_error);
2547+
}
2548+
}
25382549
if (OP_DATA_TYPE == IS_CV || OP_DATA_TYPE == IS_VAR) {
25392550
ZVAL_DEREF(value);
25402551
}

0 commit comments

Comments
 (0)