diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2019-09-04 12:13:49 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2019-09-04 12:16:12 +0300 |
| commit | 1db0bad6a75eaaa6cc849767ace77dae63678bf4 (patch) | |
| tree | 7cd2317921fe669dbda003314edc0b530a7af246 /ext/ffi | |
| parent | 94e2f25f076734a38b1c046e06459d404a7650cf (diff) | |
| download | php-git-1db0bad6a75eaaa6cc849767ace77dae63678bf4.tar.gz | |
Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).
Diffstat (limited to 'ext/ffi')
| -rw-r--r-- | ext/ffi/ffi.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c index 552d168fd6..81c34071a3 100644 --- a/ext/ffi/ffi.c +++ b/ext/ffi/ffi.c @@ -160,6 +160,9 @@ typedef struct _zend_ffi { #define ZEND_FFI_TYPE_MAKE_OWNED(t) \ ((zend_ffi_type*)(((uintptr_t)(t)) | ZEND_FFI_TYPE_OWNED)) +#define ZEND_FFI_SIZEOF_ARG \ + MAX(FFI_SIZEOF_ARG, sizeof(double)) + typedef struct _zend_ffi_cdata { zend_object std; zend_ffi_type *type; @@ -2614,12 +2617,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ arg_types = do_alloca( sizeof(ffi_type*) * EX_NUM_ARGS(), arg_types_use_heap); arg_values = do_alloca( - (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); + (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); n = 0; if (type->func.args) { ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) { arg_type = ZEND_FFI_TYPE(arg_type); - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); @@ -2629,7 +2632,7 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ } ZEND_HASH_FOREACH_END(); } for (; n < EX_NUM_ARGS(); n++) { - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_var_arg(EX_VAR_NUM(n), &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); @@ -2659,12 +2662,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */ arg_types = do_alloca( (sizeof(ffi_type*) + sizeof(ffi_type)) * EX_NUM_ARGS(), arg_types_use_heap); arg_values = do_alloca( - (sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); + (sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap); n = 0; if (type->func.args) { ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) { arg_type = ZEND_FFI_TYPE(arg_type); - arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n); + arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n); if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) { free_alloca(arg_types, arg_types_use_heap); free_alloca(arg_values, arg_values_use_heap); |