Skip to content

Commit 7b17313

Browse files
dstogovdstogov
committed
Merge branch 'PHP-8.4'
* PHP-8.4: Fix GH-16913: 8.4 function JIT memory corruption (#16943)
2 parents ea39c27 + 7892a0e commit 7b17313

File tree

1 file changed

+35
-2
lines changed

1 file changed

+35
-2
lines changed

ext/opcache/jit/zend_jit_ir.c

Lines changed: 35 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11720,6 +11720,32 @@ static int zend_jit_rope(zend_jit_ctx *jit, const zend_op *opline, uint32_t op2_
1172011720
return 1;
1172111721
}
1172211722

11723+
static int zend_jit_zval_copy_deref_reg(zend_jit_ctx *jit, zend_jit_addr res_addr, uint32_t res_info, zend_jit_addr val_addr, ir_ref type, ir_ref *values)
11724+
{
11725+
ir_ref if_type, val;
11726+
11727+
if (res_info == MAY_BE_LONG) {
11728+
if_type = ir_IF(ir_EQ(type, ir_CONST_U32(IS_LONG)));
11729+
ir_IF_TRUE(if_type);
11730+
val = jit_ZVAL_ADDR(jit, val_addr);
11731+
ir_END_PHI_list(*values, val);
11732+
ir_IF_FALSE(if_type);
11733+
val = ir_ADD_OFFSET(jit_Z_PTR(jit, val_addr), offsetof(zend_reference, val));
11734+
ir_END_PHI_list(*values, val);
11735+
} else if (res_info == MAY_BE_DOUBLE) {
11736+
if_type = ir_IF(ir_EQ(type, ir_CONST_U32(IS_DOUBLE)));
11737+
ir_IF_TRUE(if_type);
11738+
val = jit_ZVAL_ADDR(jit, val_addr);
11739+
ir_END_PHI_list(*values, val);
11740+
ir_IF_FALSE(if_type);
11741+
val = ir_ADD_OFFSET(jit_Z_PTR(jit, val_addr), offsetof(zend_reference, val));
11742+
ir_END_PHI_list(*values, val);
11743+
} else {
11744+
ZEND_UNREACHABLE();
11745+
}
11746+
return 1;
11747+
}
11748+
1172311749
static int zend_jit_zval_copy_deref(zend_jit_ctx *jit, zend_jit_addr res_addr, zend_jit_addr val_addr, ir_ref type)
1172411750
{
1172511751
ir_ref if_refcounted, if_reference, if_refcounted2, ptr, val2, ptr2, type2;
@@ -14463,9 +14489,16 @@ static int zend_jit_fetch_obj(zend_jit_ctx *jit,
1446314489
}
1446414490
ir_END_list(end_inputs);
1446514491
} else {
14466-
if (((res_info & MAY_BE_GUARD) && JIT_G(current_frame) && prop_info)
14467-
|| Z_MODE(res_addr) == IS_REG) {
14492+
if ((res_info & MAY_BE_GUARD) && JIT_G(current_frame) && prop_info) {
1446814493
ir_END_PHI_list(end_values, jit_ZVAL_ADDR(jit, prop_addr));
14494+
} else if ((res_info & MAY_BE_GUARD) && Z_MODE(res_addr) == IS_REG) {
14495+
ir_END_PHI_list(end_values, jit_ZVAL_ADDR(jit, prop_addr));
14496+
} else if (Z_MODE(res_addr) == IS_REG) {
14497+
prop_type_ref = jit_Z_TYPE_INFO(jit, prop_addr);
14498+
14499+
if (!zend_jit_zval_copy_deref_reg(jit, res_addr, res_info & ~MAY_BE_GUARD, prop_addr, prop_type_ref, &end_values)) {
14500+
return 0;
14501+
}
1446914502
} else {
1447014503
prop_type_ref = jit_Z_TYPE_INFO(jit, prop_addr);
1447114504

0 commit comments

Comments
 (0)