Skip to content

Commit 0f08438

Browse files
dstogovdstogov
committed
Fixed use-after-free introduced in f2ceb63 
1 parent 4317da3 commit 0f08438

File tree

2 files changed

+18
-8
lines changed

2 files changed

+18
-8
lines changed

ext/opcache/jit/zend_jit_arm64.dasc

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12125,10 +12125,6 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
1212512125
}
1212612126
}
1212712127
}
12128-
if (op1_avoid_refcounting) {
12129-
SET_STACK_REG(JIT_G(current_frame)->stack,
12130-
EX_VAR_TO_NUM(opline->op1.var), ZREG_NONE);
12131-
}
1213212128
if (opline->opcode == ZEND_FETCH_OBJ_W) {
1213312129
if (Z_REG(prop_addr) != ZREG_FCARG1 || Z_OFFSET(prop_addr) != 0) {
1213412130
| LOAD_ZVAL_ADDR FCARG1x, prop_addr
@@ -12174,6 +12170,10 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
1217412170
exit_point = zend_jit_trace_get_exit_point(opline, 0);
1217512171
exit_addr = zend_jit_trace_get_exit_addr(exit_point);
1217612172
} else {
12173+
if (op1_avoid_refcounting) {
12174+
SET_STACK_REG(JIT_G(current_frame)->stack,
12175+
EX_VAR_TO_NUM(opline->op1.var), ZREG_NONE);
12176+
}
1217712177
old_info = STACK_INFO(stack, EX_VAR_TO_NUM(opline->result.var));
1217812178
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->result.var), IS_UNKNOWN, 1);
1217912179
SET_STACK_REG(stack, EX_VAR_TO_NUM(opline->result.var), ZREG_ZVAL_COPY_GPR0);
@@ -12223,6 +12223,11 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
1222312223
}
1222412224
}
1222512225

12226+
if (op1_avoid_refcounting) {
12227+
SET_STACK_REG(JIT_G(current_frame)->stack,
12228+
EX_VAR_TO_NUM(opline->op1.var), ZREG_NONE);
12229+
}
12230+
1222612231
|.cold_code
1222712232

1222812233
if (JIT_G(trigger) != ZEND_JIT_ON_HOT_TRACE || !prop_info) {

ext/opcache/jit/zend_jit_x86.dasc

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12832,10 +12832,6 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
1283212832
}
1283312833
}
1283412834
}
12835-
if (op1_avoid_refcounting) {
12836-
SET_STACK_REG(JIT_G(current_frame)->stack,
12837-
EX_VAR_TO_NUM(opline->op1.var), ZREG_NONE);
12838-
}
1283912835
if (opline->opcode == ZEND_FETCH_OBJ_W) {
1284012836
if (Z_REG(prop_addr) != ZREG_FCARG1 || Z_OFFSET(prop_addr) != 0) {
1284112837
| LOAD_ZVAL_ADDR FCARG1a, prop_addr
@@ -12881,6 +12877,10 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
1288112877
exit_point = zend_jit_trace_get_exit_point(opline, 0);
1288212878
exit_addr = zend_jit_trace_get_exit_addr(exit_point);
1288312879
} else {
12880+
if (op1_avoid_refcounting) {
12881+
SET_STACK_REG(JIT_G(current_frame)->stack,
12882+
EX_VAR_TO_NUM(opline->op1.var), ZREG_NONE);
12883+
}
1288412884
old_info = STACK_INFO(stack, EX_VAR_TO_NUM(opline->result.var));
1288512885
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->result.var), IS_UNKNOWN, 1);
1288612886
SET_STACK_REG(stack, EX_VAR_TO_NUM(opline->result.var), ZREG_ZVAL_COPY_GPR0);
@@ -12928,6 +12928,11 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
1292812928
}
1292912929
}
1293012930

12931+
if (op1_avoid_refcounting) {
12932+
SET_STACK_REG(JIT_G(current_frame)->stack,
12933+
EX_VAR_TO_NUM(opline->op1.var), ZREG_NONE);
12934+
}
12935+
1293112936
|.cold_code
1293212937

1293312938
if (JIT_G(trigger) != ZEND_JIT_ON_HOT_TRACE || !prop_info) {

0 commit comments

Comments
 (0)