From 9f81c56e42ebaaea800c7304cf8cb39acedf1c98 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Fri, 28 Jun 2019 10:24:56 +0200 Subject: Fix out-of-bounds read in array compilation UNPACK elements only have one child. Don't access the second one until we have excluded this case. --- Zend/zend_compile.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'Zend') diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index fc6dcf5bb7..6682d2b454 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -7032,7 +7032,7 @@ static zend_bool zend_try_ct_eval_array(zval *result, zend_ast *ast) /* {{{ */ for (i = 0; i < list->children; ++i) { zend_ast *elem_ast = list->child[i]; zend_ast *value_ast = elem_ast->child[0]; - zend_ast *key_ast = elem_ast->child[1]; + zend_ast *key_ast; zval *value = zend_ast_get_zval(value_ast); if (elem_ast->kind == ZEND_AST_UNPACK) { @@ -7060,6 +7060,7 @@ static zend_bool zend_try_ct_eval_array(zval *result, zend_ast *ast) /* {{{ */ Z_TRY_ADDREF_P(value); + key_ast = elem_ast->child[1]; if (key_ast) { zval *key = zend_ast_get_zval(key_ast); switch (Z_TYPE_P(key)) { @@ -7823,8 +7824,6 @@ void zend_compile_array(znode *result, zend_ast *ast) /* {{{ */ } value_ast = elem_ast->child[0]; - key_ast = elem_ast->child[1]; - by_ref = elem_ast->attr; if (elem_ast->kind == ZEND_AST_UNPACK) { zend_compile_expr(&value_node, value_ast); @@ -7836,6 +7835,9 @@ void zend_compile_array(znode *result, zend_ast *ast) /* {{{ */ continue; } + key_ast = elem_ast->child[1]; + by_ref = elem_ast->attr; + if (key_ast) { zend_compile_expr(&key_node, key_ast); zend_handle_numeric_op(&key_node); -- cgit v1.2.1