diff options
| author | Nikita Popov <nikic@php.net> | 2016-09-28 22:33:40 +0200 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2016-09-28 22:35:27 +0200 |
| commit | 99bf19c177e272676c363565f5f7b7281a5f1acd (patch) | |
| tree | ff979a60c09430f32d74048a8f47a508c6bee8e9 | |
| parent | 4f0960a800202323ac0b9d1d8041ad8dce31db98 (diff) | |
| download | php-git-99bf19c177e272676c363565f5f7b7281a5f1acd.tar.gz | |
Check next_index_insert failure in ADD_ARRAY_ELEMENT
| -rw-r--r-- | Zend/tests/array_literal_next_element_error.phpt | 16 | ||||
| -rw-r--r-- | Zend/zend_vm_def.h | 5 | ||||
| -rw-r--r-- | Zend/zend_vm_execute.h | 100 |
3 files changed, 100 insertions, 21 deletions
diff --git a/Zend/tests/array_literal_next_element_error.phpt b/Zend/tests/array_literal_next_element_error.phpt new file mode 100644 index 0000000000..59ffeb02c7 --- /dev/null +++ b/Zend/tests/array_literal_next_element_error.phpt @@ -0,0 +1,16 @@ +--TEST-- +Next free element may overflow in array literals +--FILE-- +<?php + +$i = PHP_INT_MAX; +$array = [$i => 42, new stdClass]; +var_dump($array); + +?> +--EXPECTF-- +Warning: Cannot add element to the array as the next element is already occupied in %s on line %d +array(1) { + [%d]=> + int(42) +} diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index f79d8a3f9e..bd843d6934 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -3879,7 +3879,10 @@ ZEND_VM_C_LABEL(num_index): } FREE_OP2(); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((OP1_TYPE == IS_VAR || OP1_TYPE == IS_CV) && opline->extended_value) { FREE_OP1_VAR_PTR(); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index a31027ee92..f09d05b71c 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -4119,7 +4119,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) { @@ -5030,7 +5033,10 @@ num_index: } zval_dtor(free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) { @@ -5894,7 +5900,10 @@ num_index: } zval_ptr_dtor_nogc(&free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) { @@ -6614,7 +6623,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) { @@ -7547,7 +7559,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) { @@ -9447,7 +9462,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) { @@ -10314,7 +10332,10 @@ num_index: } zval_dtor(free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) { @@ -11180,7 +11201,10 @@ num_index: } zval_ptr_dtor_nogc(&free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) { @@ -11775,7 +11799,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) { @@ -12624,7 +12651,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) { @@ -16107,7 +16137,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) { if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; @@ -18387,7 +18420,10 @@ num_index: } zval_dtor(free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) { if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; @@ -20725,7 +20761,10 @@ num_index: } zval_ptr_dtor_nogc(&free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) { if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; @@ -22165,7 +22204,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) { if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; @@ -24220,7 +24262,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) { if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; @@ -33574,7 +33619,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) { @@ -35717,7 +35765,10 @@ num_index: } zval_dtor(free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) { @@ -37917,7 +37968,10 @@ num_index: } zval_ptr_dtor_nogc(&free_op2.var); } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) { @@ -39225,7 +39279,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) { @@ -41125,7 +41182,10 @@ num_index: } } else { - zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL); + if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) { + zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); + zval_ptr_dtor(&expr_ptr); + } } if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) { |