diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2019-02-12 11:21:09 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2019-02-12 11:21:09 +0300 |
| commit | 7d4de1a77e6d2f96232a68005cdee4866e3eeb58 (patch) | |
| tree | f6c4f0ba3923609236b14cae008076960e6ba8a7 | |
| parent | 62fd45f530db7b68d60443482fef0e7d55e33b3b (diff) | |
| download | php-git-7d4de1a77e6d2f96232a68005cdee4866e3eeb58.tar.gz | |
Fixed possible crash
| -rw-r--r-- | ext/ffi/ffi.c | 8 | ||||
| -rw-r--r-- | ext/ffi/tests/042.phpt | 16 |
2 files changed, 23 insertions, 1 deletions
diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c index 1a8f866520..e223a52a92 100644 --- a/ext/ffi/ffi.c +++ b/ext/ffi/ffi.c @@ -1138,10 +1138,16 @@ static void zend_ffi_cdata_write_dim(zval *object, zval *offset, zval *value) /* { zend_ffi_cdata *cdata = (zend_ffi_cdata*)Z_OBJ_P(object); zend_ffi_type *type = ZEND_FFI_TYPE(cdata->type); - zend_long dim = zval_get_long(offset); + zend_long dim; void *ptr; zend_ffi_flags is_const; + if (offset == NULL) { + zend_throw_error(zend_ffi_exception_ce, "Cannot add next element to object of type FFI\\CData"); + return; + } + + dim = zval_get_long(offset); if (EXPECTED(type->kind == ZEND_FFI_TYPE_ARRAY)) { if (UNEXPECTED((zend_ulong)(dim) >= (zend_ulong)type->array.length) && (UNEXPECTED(dim < 0) || UNEXPECTED(type->array.length != 0))) { diff --git a/ext/ffi/tests/042.phpt b/ext/ffi/tests/042.phpt new file mode 100644 index 0000000000..05450d5727 --- /dev/null +++ b/ext/ffi/tests/042.phpt @@ -0,0 +1,16 @@ +--TEST-- +FFI 042: Next array element +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--INI-- +ffi.enable=1 +--FILE-- +<?php +$a = FFI::new("uint8_t[8]"); +$a[] = 0; +?> +--EXPECTF-- +Fatal error: Uncaught FFI\Exception: Cannot add next element to object of type FFI\CData in %sext/ffi/tests/042.php:3 +Stack trace: +#0 {main} + thrown in %sext/ffi/tests/042.php on line 3
\ No newline at end of file |