Fix out of bounds access in gc_find_additional_buffer()

author: Nikita Popov <nikita.ppv@gmail.com> 2017-03-07 13:16:06 +0100
committer: Nikita Popov <nikita.ppv@gmail.com> 2017-03-07 13:16:06 +0100
commit: 549a30d2cd7756abc5f5116dfebe217098ade5c5 (patch)
tree: 231be576fc26f12a94cf6c4f01bb0e57ff1133cb /Zend
parent: 648b756f35fdfc1948126ce954a3f7d6bd479ba5 (diff)
download: php-git-549a30d2cd7756abc5f5116dfebe217098ade5c5.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
index 0b9ce8ccc5..badbf34c3d 100644
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -275,9 +275,12 @@ static zend_always_inline gc_root_buffer* gc_find_additional_buffer(zend_refcoun
 
 	/* We have to check each additional_buffer to find which one holds the ref */
 	while (additional_buffer) {
-		gc_root_buffer *root = additional_buffer->buf + (GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES);
-		if (root->ref == ref) {
-			return root;
+		uint32_t idx = GC_ADDRESS(GC_INFO(ref)) - GC_ROOT_BUFFER_MAX_ENTRIES;
+		if (idx < additional_buffer->used) {
+			gc_root_buffer *root = additional_buffer->buf + idx;
+			if (root->ref == ref) {
+				return root;
+			}
 		}
 		additional_buffer = additional_buffer->next;
 	}
author	Nikita Popov <nikita.ppv@gmail.com>	2017-03-07 13:16:06 +0100
committer	Nikita Popov <nikita.ppv@gmail.com>	2017-03-07 13:16:06 +0100
commit	549a30d2cd7756abc5f5116dfebe217098ade5c5 (patch)
tree	231be576fc26f12a94cf6c4f01bb0e57ff1133cb /Zend
parent	648b756f35fdfc1948126ce954a3f7d6bd479ba5 (diff)
download	php-git-549a30d2cd7756abc5f5116dfebe217098ade5c5.tar.gz