From 623da03845e424ebf3053adbee59eb13c172bb27 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Fri, 8 Dec 2023 12:56:30 +0100 Subject: [PATCH] Fix zend_jit_undefined_long_key overwriting dim when dim == result Fixes oss-fuzz #64727 Closes GH-12900 --- NEWS | 4 ++++ ext/opcache/jit/zend_jit_vm_helpers.c | 4 ++-- ext/opcache/tests/jit/oss-fuzz-64727.phpt | 27 +++++++++++++++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 ext/opcache/tests/jit/oss-fuzz-64727.phpt diff --git a/NEWS b/NEWS index 6c3e837a49eeb..f2c2ede3ae0ad 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ PHP NEWS . Fix incorrect timeout in built-in web server when using router script and max_input_time. (ilutov) +- Opcache: + . Fixed oss-fuzz #64727 (JIT undefined array key warning may overwrite DIM + with NULL when DIM is the same var as result). (ilutov) + 21 Dec 2023, PHP 8.2.14 - Core: diff --git a/ext/opcache/jit/zend_jit_vm_helpers.c b/ext/opcache/jit/zend_jit_vm_helpers.c index ff7fbd87546eb..fe9d5fdaa8da5 100644 --- a/ext/opcache/jit/zend_jit_vm_helpers.c +++ b/ext/opcache/jit/zend_jit_vm_helpers.c @@ -205,7 +205,6 @@ void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D) zval *result = EX_VAR(opline->result.var); zval *dim; - ZVAL_NULL(result); if (opline->op2_type == IS_CONST) { dim = RT_CONSTANT(opline, opline->op2); } else { @@ -213,6 +212,7 @@ void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D) } ZEND_ASSERT(Z_TYPE_P(dim) == IS_LONG); zend_error(E_WARNING, "Undefined array key " ZEND_LONG_FMT, Z_LVAL_P(dim)); + ZVAL_NULL(result); } void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D) @@ -222,7 +222,6 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D) zval *dim; zend_ulong lval; - ZVAL_NULL(result); if (opline->op2_type == IS_CONST) { dim = RT_CONSTANT(opline, opline->op2); } else { @@ -234,6 +233,7 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D) } else { zend_error(E_WARNING, "Undefined array key \"%s\"", Z_STRVAL_P(dim)); } + ZVAL_NULL(result); } ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_profile_helper(ZEND_OPCODE_HANDLER_ARGS) diff --git a/ext/opcache/tests/jit/oss-fuzz-64727.phpt b/ext/opcache/tests/jit/oss-fuzz-64727.phpt new file mode 100644 index 0000000000000..e8479d1d2f6e4 --- /dev/null +++ b/ext/opcache/tests/jit/oss-fuzz-64727.phpt @@ -0,0 +1,27 @@ +--TEST-- +oss-fuzz #64727 +--INI-- +opcache.enable_cli=1 +opcache.jit_buffer_size=64M +opcache.jit=function +--EXTENSIONS-- +opcache +--FILE-- + +--EXPECT-- +int(0) +int(3) +int(3) +NULL