Skip to content

Commit 5c18ee5

Browse files
dstogovdstogov
committed
Fixed use-after-free introduced by aed1f78 
1 parent 118406a commit 5c18ee5

File tree

2 files changed

+91
-39
lines changed

2 files changed

+91
-39
lines changed

Zend/zend_vm_def.h

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3424,14 +3424,19 @@ ZEND_VM_HOT_OBJ_HANDLER(112, ZEND_INIT_METHOD_CALL, CONST|TMPVAR|UNUSED|THIS|CV,
34243424
} while (0);
34253425
}
34263426

3427-
if (OP1_TYPE != IS_UNUSED) {
3427+
if (OP1_TYPE == IS_UNUSED) {
3428+
obj = Z_OBJ_P(object);
3429+
} else {
34283430
do {
3429-
if (OP1_TYPE == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
3431+
if (OP1_TYPE != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
3432+
obj = Z_OBJ_P(object);
3433+
} else {
34303434
if ((OP1_TYPE & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
34313435
zend_reference *ref = Z_REF_P(object);
34323436

34333437
object = &ref->val;
34343438
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
3439+
obj = Z_OBJ_P(object);
34353440
if (OP1_TYPE & IS_VAR) {
34363441
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
34373442
efree_size(ref, sizeof(zend_reference));
@@ -3462,7 +3467,6 @@ ZEND_VM_HOT_OBJ_HANDLER(112, ZEND_INIT_METHOD_CALL, CONST|TMPVAR|UNUSED|THIS|CV,
34623467
} while (0);
34633468
}
34643469

3465-
obj = Z_OBJ_P(object);
34663470
called_scope = obj->ce;
34673471

34683472
if (OP2_TYPE == IS_CONST &&

Zend/zend_vm_execute.h

Lines changed: 84 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -5739,14 +5739,19 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_
57395739
} while (0);
57405740
}
57415741

5742-
if (IS_CONST != IS_UNUSED) {
5742+
if (IS_CONST == IS_UNUSED) {
5743+
obj = Z_OBJ_P(object);
5744+
} else {
57435745
do {
5744-
if (IS_CONST == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
5746+
if (IS_CONST != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
5747+
obj = Z_OBJ_P(object);
5748+
} else {
57455749
if ((IS_CONST & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
57465750
zend_reference *ref = Z_REF_P(object);
57475751

57485752
object = &ref->val;
57495753
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
5754+
obj = Z_OBJ_P(object);
57505755
if (IS_CONST & IS_VAR) {
57515756
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
57525757
efree_size(ref, sizeof(zend_reference));
@@ -5777,7 +5782,6 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_
57775782
} while (0);
57785783
}
57795784

5780-
obj = Z_OBJ_P(object);
57815785
called_scope = obj->ce;
57825786

57835787
if (IS_CONST == IS_CONST &&
@@ -8023,14 +8027,19 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_
80238027
} while (0);
80248028
}
80258029

8026-
if (IS_CONST != IS_UNUSED) {
8030+
if (IS_CONST == IS_UNUSED) {
8031+
obj = Z_OBJ_P(object);
8032+
} else {
80278033
do {
8028-
if (IS_CONST == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
8034+
if (IS_CONST != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
8035+
obj = Z_OBJ_P(object);
8036+
} else {
80298037
if ((IS_CONST & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
80308038
zend_reference *ref = Z_REF_P(object);
80318039

80328040
object = &ref->val;
80338041
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
8042+
obj = Z_OBJ_P(object);
80348043
if (IS_CONST & IS_VAR) {
80358044
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
80368045
efree_size(ref, sizeof(zend_reference));
@@ -8061,7 +8070,6 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_
80618070
} while (0);
80628071
}
80638072

8064-
obj = Z_OBJ_P(object);
80658073
called_scope = obj->ce;
80668074

80678075
if ((IS_TMP_VAR|IS_VAR) == IS_CONST &&
@@ -10400,14 +10408,19 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_
1040010408
} while (0);
1040110409
}
1040210410

10403-
if (IS_CONST != IS_UNUSED) {
10411+
if (IS_CONST == IS_UNUSED) {
10412+
obj = Z_OBJ_P(object);
10413+
} else {
1040410414
do {
10405-
if (IS_CONST == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
10415+
if (IS_CONST != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
10416+
obj = Z_OBJ_P(object);
10417+
} else {
1040610418
if ((IS_CONST & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
1040710419
zend_reference *ref = Z_REF_P(object);
1040810420

1040910421
object = &ref->val;
1041010422
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
10423+
obj = Z_OBJ_P(object);
1041110424
if (IS_CONST & IS_VAR) {
1041210425
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
1041310426
efree_size(ref, sizeof(zend_reference));
@@ -10438,7 +10451,6 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_
1043810451
} while (0);
1043910452
}
1044010453

10441-
obj = Z_OBJ_P(object);
1044210454
called_scope = obj->ce;
1044310455

1044410456
if (IS_CV == IS_CONST &&
@@ -14769,14 +14781,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_TMPVAR_C
1476914781
} while (0);
1477014782
}
1477114783

14772-
if ((IS_TMP_VAR|IS_VAR) != IS_UNUSED) {
14784+
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
14785+
obj = Z_OBJ_P(object);
14786+
} else {
1477314787
do {
14774-
if ((IS_TMP_VAR|IS_VAR) == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
14788+
if ((IS_TMP_VAR|IS_VAR) != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
14789+
obj = Z_OBJ_P(object);
14790+
} else {
1477514791
if (((IS_TMP_VAR|IS_VAR) & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
1477614792
zend_reference *ref = Z_REF_P(object);
1477714793

1477814794
object = &ref->val;
1477914795
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
14796+
obj = Z_OBJ_P(object);
1478014797
if ((IS_TMP_VAR|IS_VAR) & IS_VAR) {
1478114798
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
1478214799
efree_size(ref, sizeof(zend_reference));
@@ -14807,7 +14824,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_TMPVAR_C
1480714824
} while (0);
1480814825
}
1480914826

14810-
obj = Z_OBJ_P(object);
1481114827
called_scope = obj->ce;
1481214828

1481314829
if (IS_CONST == IS_CONST &&
@@ -16184,14 +16200,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_TMPVAR_T
1618416200
} while (0);
1618516201
}
1618616202

16187-
if ((IS_TMP_VAR|IS_VAR) != IS_UNUSED) {
16203+
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
16204+
obj = Z_OBJ_P(object);
16205+
} else {
1618816206
do {
16189-
if ((IS_TMP_VAR|IS_VAR) == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
16207+
if ((IS_TMP_VAR|IS_VAR) != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
16208+
obj = Z_OBJ_P(object);
16209+
} else {
1619016210
if (((IS_TMP_VAR|IS_VAR) & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
1619116211
zend_reference *ref = Z_REF_P(object);
1619216212

1619316213
object = &ref->val;
1619416214
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
16215+
obj = Z_OBJ_P(object);
1619516216
if ((IS_TMP_VAR|IS_VAR) & IS_VAR) {
1619616217
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
1619716218
efree_size(ref, sizeof(zend_reference));
@@ -16222,7 +16243,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_TMPVAR_T
1622216243
} while (0);
1622316244
}
1622416245

16225-
obj = Z_OBJ_P(object);
1622616246
called_scope = obj->ce;
1622716247

1622816248
if ((IS_TMP_VAR|IS_VAR) == IS_CONST &&
@@ -17492,14 +17512,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_TMPVAR_C
1749217512
} while (0);
1749317513
}
1749417514

17495-
if ((IS_TMP_VAR|IS_VAR) != IS_UNUSED) {
17515+
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
17516+
obj = Z_OBJ_P(object);
17517+
} else {
1749617518
do {
17497-
if ((IS_TMP_VAR|IS_VAR) == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
17519+
if ((IS_TMP_VAR|IS_VAR) != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
17520+
obj = Z_OBJ_P(object);
17521+
} else {
1749817522
if (((IS_TMP_VAR|IS_VAR) & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
1749917523
zend_reference *ref = Z_REF_P(object);
1750017524

1750117525
object = &ref->val;
1750217526
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
17527+
obj = Z_OBJ_P(object);
1750317528
if ((IS_TMP_VAR|IS_VAR) & IS_VAR) {
1750417529
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
1750517530
efree_size(ref, sizeof(zend_reference));
@@ -17530,7 +17555,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_TMPVAR_C
1753017555
} while (0);
1753117556
}
1753217557

17533-
obj = Z_OBJ_P(object);
1753417558
called_scope = obj->ce;
1753517559

1753617560
if (IS_CV == IS_CONST &&
@@ -31525,14 +31549,19 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_S
3152531549
} while (0);
3152631550
}
3152731551

31528-
if (IS_UNUSED != IS_UNUSED) {
31552+
if (IS_UNUSED == IS_UNUSED) {
31553+
obj = Z_OBJ_P(object);
31554+
} else {
3152931555
do {
31530-
if (IS_UNUSED == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
31556+
if (IS_UNUSED != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
31557+
obj = Z_OBJ_P(object);
31558+
} else {
3153131559
if ((IS_UNUSED & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
3153231560
zend_reference *ref = Z_REF_P(object);
3153331561

3153431562
object = &ref->val;
3153531563
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
31564+
obj = Z_OBJ_P(object);
3153631565
if (IS_UNUSED & IS_VAR) {
3153731566
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
3153831567
efree_size(ref, sizeof(zend_reference));
@@ -31563,7 +31592,6 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_S
3156331592
} while (0);
3156431593
}
3156531594

31566-
obj = Z_OBJ_P(object);
3156731595
called_scope = obj->ce;
3156831596

3156931597
if (IS_CONST == IS_CONST &&
@@ -33430,14 +33458,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_UNUSED_T
3343033458
} while (0);
3343133459
}
3343233460

33433-
if (IS_UNUSED != IS_UNUSED) {
33461+
if (IS_UNUSED == IS_UNUSED) {
33462+
obj = Z_OBJ_P(object);
33463+
} else {
3343433464
do {
33435-
if (IS_UNUSED == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
33465+
if (IS_UNUSED != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
33466+
obj = Z_OBJ_P(object);
33467+
} else {
3343633468
if ((IS_UNUSED & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
3343733469
zend_reference *ref = Z_REF_P(object);
3343833470

3343933471
object = &ref->val;
3344033472
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
33473+
obj = Z_OBJ_P(object);
3344133474
if (IS_UNUSED & IS_VAR) {
3344233475
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
3344333476
efree_size(ref, sizeof(zend_reference));
@@ -33468,7 +33501,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_UNUSED_T
3346833501
} while (0);
3346933502
}
3347033503

33471-
obj = Z_OBJ_P(object);
3347233504
called_scope = obj->ce;
3347333505

3347433506
if ((IS_TMP_VAR|IS_VAR) == IS_CONST &&
@@ -35913,14 +35945,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_UNUSED_C
3591335945
} while (0);
3591435946
}
3591535947

35916-
if (IS_UNUSED != IS_UNUSED) {
35948+
if (IS_UNUSED == IS_UNUSED) {
35949+
obj = Z_OBJ_P(object);
35950+
} else {
3591735951
do {
35918-
if (IS_UNUSED == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
35952+
if (IS_UNUSED != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
35953+
obj = Z_OBJ_P(object);
35954+
} else {
3591935955
if ((IS_UNUSED & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
3592035956
zend_reference *ref = Z_REF_P(object);
3592135957

3592235958
object = &ref->val;
3592335959
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
35960+
obj = Z_OBJ_P(object);
3592435961
if (IS_UNUSED & IS_VAR) {
3592535962
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
3592635963
efree_size(ref, sizeof(zend_reference));
@@ -35951,7 +35988,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_UNUSED_C
3595135988
} while (0);
3595235989
}
3595335990

35954-
obj = Z_OBJ_P(object);
3595535991
called_scope = obj->ce;
3595635992

3595735993
if (IS_CV == IS_CONST &&
@@ -40588,14 +40624,19 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_S
4058840624
} while (0);
4058940625
}
4059040626

40591-
if (IS_CV != IS_UNUSED) {
40627+
if (IS_CV == IS_UNUSED) {
40628+
obj = Z_OBJ_P(object);
40629+
} else {
4059240630
do {
40593-
if (IS_CV == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
40631+
if (IS_CV != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
40632+
obj = Z_OBJ_P(object);
40633+
} else {
4059440634
if ((IS_CV & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
4059540635
zend_reference *ref = Z_REF_P(object);
4059640636

4059740637
object = &ref->val;
4059840638
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
40639+
obj = Z_OBJ_P(object);
4059940640
if (IS_CV & IS_VAR) {
4060040641
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
4060140642
efree_size(ref, sizeof(zend_reference));
@@ -40626,7 +40667,6 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_S
4062640667
} while (0);
4062740668
}
4062840669

40629-
obj = Z_OBJ_P(object);
4063040670
called_scope = obj->ce;
4063140671

4063240672
if (IS_CONST == IS_CONST &&
@@ -44169,14 +44209,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_CV_TMPVA
4416944209
} while (0);
4417044210
}
4417144211

44172-
if (IS_CV != IS_UNUSED) {
44212+
if (IS_CV == IS_UNUSED) {
44213+
obj = Z_OBJ_P(object);
44214+
} else {
4417344215
do {
44174-
if (IS_CV == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
44216+
if (IS_CV != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
44217+
obj = Z_OBJ_P(object);
44218+
} else {
4417544219
if ((IS_CV & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
4417644220
zend_reference *ref = Z_REF_P(object);
4417744221

4417844222
object = &ref->val;
4417944223
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
44224+
obj = Z_OBJ_P(object);
4418044225
if (IS_CV & IS_VAR) {
4418144226
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
4418244227
efree_size(ref, sizeof(zend_reference));
@@ -44207,7 +44252,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_CV_TMPVA
4420744252
} while (0);
4420844253
}
4420944254

44210-
obj = Z_OBJ_P(object);
4421144255
called_scope = obj->ce;
4421244256

4421344257
if ((IS_TMP_VAR|IS_VAR) == IS_CONST &&
@@ -49287,14 +49331,19 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_CV_CV_HA
4928749331
} while (0);
4928849332
}
4928949333

49290-
if (IS_CV != IS_UNUSED) {
49334+
if (IS_CV == IS_UNUSED) {
49335+
obj = Z_OBJ_P(object);
49336+
} else {
4929149337
do {
49292-
if (IS_CV == IS_CONST || UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
49338+
if (IS_CV != IS_CONST && EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
49339+
obj = Z_OBJ_P(object);
49340+
} else {
4929349341
if ((IS_CV & (IS_VAR|IS_CV)) && EXPECTED(Z_ISREF_P(object))) {
4929449342
zend_reference *ref = Z_REF_P(object);
4929549343

4929649344
object = &ref->val;
4929749345
if (EXPECTED(Z_TYPE_P(object) == IS_OBJECT)) {
49346+
obj = Z_OBJ_P(object);
4929849347
if (IS_CV & IS_VAR) {
4929949348
if (UNEXPECTED(GC_DELREF(ref) == 0)) {
4930049349
efree_size(ref, sizeof(zend_reference));
@@ -49325,7 +49374,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_METHOD_CALL_SPEC_CV_CV_HA
4932549374
} while (0);
4932649375
}
4932749376

49328-
obj = Z_OBJ_P(object);
4932949377
called_scope = obj->ce;
4933049378

4933149379
if (IS_CV == IS_CONST &&

0 commit comments

Comments
 (0)