summaryrefslogtreecommitdiff
path: root/Zend
diff options
context:
space:
mode:
authorNikita Popov <nikic@php.net>2016-09-28 22:33:40 +0200
committerNikita Popov <nikic@php.net>2016-09-28 22:35:27 +0200
commit99bf19c177e272676c363565f5f7b7281a5f1acd (patch)
treeff979a60c09430f32d74048a8f47a508c6bee8e9 /Zend
parent4f0960a800202323ac0b9d1d8041ad8dce31db98 (diff)
downloadphp-git-99bf19c177e272676c363565f5f7b7281a5f1acd.tar.gz
Check next_index_insert failure in ADD_ARRAY_ELEMENT
Diffstat (limited to 'Zend')
-rw-r--r--Zend/tests/array_literal_next_element_error.phpt16
-rw-r--r--Zend/zend_vm_def.h5
-rw-r--r--Zend/zend_vm_execute.h100
3 files changed, 100 insertions, 21 deletions
diff --git a/Zend/tests/array_literal_next_element_error.phpt b/Zend/tests/array_literal_next_element_error.phpt
new file mode 100644
index 0000000000..59ffeb02c7
--- /dev/null
+++ b/Zend/tests/array_literal_next_element_error.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Next free element may overflow in array literals
+--FILE--
+<?php
+
+$i = PHP_INT_MAX;
+$array = [$i => 42, new stdClass];
+var_dump($array);
+
+?>
+--EXPECTF--
+Warning: Cannot add element to the array as the next element is already occupied in %s on line %d
+array(1) {
+ [%d]=>
+ int(42)
+}
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index f79d8a3f9e..bd843d6934 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3879,7 +3879,10 @@ ZEND_VM_C_LABEL(num_index):
}
FREE_OP2();
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((OP1_TYPE == IS_VAR || OP1_TYPE == IS_CV) && opline->extended_value) {
FREE_OP1_VAR_PTR();
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index a31027ee92..f09d05b71c 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -4119,7 +4119,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
@@ -5030,7 +5033,10 @@ num_index:
}
zval_dtor(free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
@@ -5894,7 +5900,10 @@ num_index:
}
zval_ptr_dtor_nogc(&free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
@@ -6614,7 +6623,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
@@ -7547,7 +7559,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
@@ -9447,7 +9462,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
@@ -10314,7 +10332,10 @@ num_index:
}
zval_dtor(free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
@@ -11180,7 +11201,10 @@ num_index:
}
zval_ptr_dtor_nogc(&free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
@@ -11775,7 +11799,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
@@ -12624,7 +12651,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
@@ -16107,7 +16137,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);};
@@ -18387,7 +18420,10 @@ num_index:
}
zval_dtor(free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);};
@@ -20725,7 +20761,10 @@ num_index:
}
zval_ptr_dtor_nogc(&free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);};
@@ -22165,7 +22204,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);};
@@ -24220,7 +24262,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);};
@@ -33574,7 +33619,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
@@ -35717,7 +35765,10 @@ num_index:
}
zval_dtor(free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
@@ -37917,7 +37968,10 @@ num_index:
}
zval_ptr_dtor_nogc(&free_op2.var);
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
@@ -39225,7 +39279,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
@@ -41125,7 +41182,10 @@ num_index:
}
} else {
- zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
+ if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
+ zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
+ zval_ptr_dtor(&expr_ptr);
+ }
}
if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
View Lorry Controller Status