Commit: 592b232e834ed2698fa97ad4dd58e5ab21f257be Author: Nikita Popov <ni...@php.net> Thu, 27 Sep 2012 18:40:00 +0200 Parents: 8cdd6bc1e7dedd4733374b62feb09b88c5ca02db Branches: PHP-5.4 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=592b232e834ed2698fa97ad4dd58e5ab21f257be Log: Fix bug #63173: Crash when invoking invalid array callback The code did not check whether the zend_hash_index_find calls succeded, so PHP crashed when an array callback was called that contains two elements which don't have the indices 0 and 1. Bugs: https://bugs.php.net/63173 Changed paths: A Zend/tests/bug63173.phpt M Zend/zend_vm_def.h M Zend/zend_vm_execute.h Diff: diff --git a/Zend/tests/bug63173.phpt b/Zend/tests/bug63173.phpt new file mode 100644 index 0000000..36ebf20 --- /dev/null +++ b/Zend/tests/bug63173.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #63173: Crash when invoking invalid array callback +--FILE-- +<?php + +// the important part here are the indexes 1 and 2 +$callback = [1 => 0, 2 => 0]; +$callback(); + +?> +--EXPECTF-- +Fatal error: Array callback has to contain indices 0 and 1 in %s on line %d diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index f5567ea..9d475a6 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -2412,6 +2412,10 @@ ZEND_VM_HANDLER(59, ZEND_INIT_FCALL_BY_NAME, ANY, CONST|TMP|VAR|CV) zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 78f3d84..4abe650 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -1256,6 +1256,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_CONST_HANDLER(ZEND_OPCODE zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } @@ -1558,6 +1562,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_TMP_HANDLER(ZEND_OPCODE_H zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } @@ -1722,6 +1730,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_VAR_HANDLER(ZEND_OPCODE_H zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } @@ -1919,6 +1931,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER(ZEND_OPCODE_HA zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
