diff options
| author | Nikita Popov <nikic@php.net> | 2012-09-27 18:40:00 +0200 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2012-09-27 18:40:00 +0200 |
| commit | 592b232e834ed2698fa97ad4dd58e5ab21f257be (patch) | |
| tree | 18b64312b6f5591c1c4e90ca61065ca331f7c782 /Zend/zend_vm_execute.h | |
| parent | 8cdd6bc1e7dedd4733374b62feb09b88c5ca02db (diff) | |
| download | php-git-592b232e834ed2698fa97ad4dd58e5ab21f257be.tar.gz | |
Fix bug #63173: Crash when invoking invalid array callback
The code did not check whether the zend_hash_index_find calls succeded,
so PHP crashed when an array callback was called that contains two elements
which don't have the indices 0 and 1.
Diffstat (limited to 'Zend/zend_vm_execute.h')
| -rw-r--r-- | Zend/zend_vm_execute.h | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 78f3d8496d..4abe6503cd 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -1256,6 +1256,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_CONST_HANDLER(ZEND_OPCODE zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } @@ -1558,6 +1562,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_TMP_HANDLER(ZEND_OPCODE_H zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } @@ -1722,6 +1730,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_VAR_HANDLER(ZEND_OPCODE_H zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } @@ -1919,6 +1931,10 @@ static int ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER(ZEND_OPCODE_HA zend_hash_index_find(Z_ARRVAL_P(function_name), 0, (void **) &obj); zend_hash_index_find(Z_ARRVAL_P(function_name), 1, (void **) &method); + if (!obj || !method) { + zend_error_noreturn(E_ERROR, "Array callback has to contain indices 0 and 1"); + } + if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { zend_error_noreturn(E_ERROR, "First array member is not a valid class name or object"); } |