diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2020-10-12 11:22:39 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-10-12 11:24:31 +0200 |
commit | 3c4dd73c023e4aea317f774e045fdccc644f24b5 (patch) | |
tree | 844a56d8505a9eb17075a8065dce710d2dc8fb50 | |
parent | e304468e57692d4dfcf283346dd67c3e418e1934 (diff) | |
download | php-git-3c4dd73c023e4aea317f774e045fdccc644f24b5.tar.gz |
Detect self-addition of array more accurately
While the zvals may be different, they may still point to the
same array.
Fixes oss-fuzz #26245.
-rw-r--r-- | Zend/tests/array_self_add_globals.phpt | 10 | ||||
-rw-r--r-- | Zend/zend_operators.c | 2 |
2 files changed, 11 insertions, 1 deletions
diff --git a/Zend/tests/array_self_add_globals.phpt b/Zend/tests/array_self_add_globals.phpt new file mode 100644 index 0000000000..ebad7c3fdf --- /dev/null +++ b/Zend/tests/array_self_add_globals.phpt @@ -0,0 +1,10 @@ +--TEST-- +Add $GLOBALS to itself +--FILE-- +<?php +$GLOBALS += $GLOBALS; +$x = $GLOBALS + $GLOBALS; +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c index 45cdc1b11c..7338e471b6 100644 --- a/Zend/zend_operators.c +++ b/Zend/zend_operators.c @@ -903,7 +903,7 @@ try_again: static zend_never_inline void ZEND_FASTCALL add_function_array(zval *result, zval *op1, zval *op2) /* {{{ */ { - if ((result == op1) && (result == op2)) { + if (result == op1 && Z_ARR_P(op1) == Z_ARR_P(op2)) { /* $a += $a */ return; } |