Skip to content

Commit 8a393ec

Browse files
dstogovdstogov
committed
Merge branch 'PHP-7.4'
* PHP-7.4: Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).
2 parents 227f516 + d03d369 commit 8a393ec

File tree

1 file changed

+8
-5
lines changed

1 file changed

+8
-5
lines changed

ext/ffi/ffi.c

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,9 @@ typedef struct _zend_ffi {
161161
#define ZEND_FFI_TYPE_MAKE_OWNED(t) \
162162
((zend_ffi_type*)(((uintptr_t)(t)) | ZEND_FFI_TYPE_OWNED))
163163

164+
#define ZEND_FFI_SIZEOF_ARG \
165+
MAX(FFI_SIZEOF_ARG, sizeof(double))
166+
164167
typedef struct _zend_ffi_cdata {
165168
zend_object std;
166169
zend_ffi_type *type;
@@ -2582,12 +2585,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
25822585
arg_types = do_alloca(
25832586
sizeof(ffi_type*) * EX_NUM_ARGS(), arg_types_use_heap);
25842587
arg_values = do_alloca(
2585-
(sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
2588+
(sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
25862589
n = 0;
25872590
if (type->func.args) {
25882591
ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
25892592
arg_type = ZEND_FFI_TYPE(arg_type);
2590-
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
2593+
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
25912594
if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
25922595
free_alloca(arg_types, arg_types_use_heap);
25932596
free_alloca(arg_values, arg_values_use_heap);
@@ -2597,7 +2600,7 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
25972600
} ZEND_HASH_FOREACH_END();
25982601
}
25992602
for (; n < EX_NUM_ARGS(); n++) {
2600-
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
2603+
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
26012604
if (zend_ffi_pass_var_arg(EX_VAR_NUM(n), &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
26022605
free_alloca(arg_types, arg_types_use_heap);
26032606
free_alloca(arg_values, arg_values_use_heap);
@@ -2627,12 +2630,12 @@ static ZEND_FUNCTION(ffi_trampoline) /* {{{ */
26272630
arg_types = do_alloca(
26282631
(sizeof(ffi_type*) + sizeof(ffi_type)) * EX_NUM_ARGS(), arg_types_use_heap);
26292632
arg_values = do_alloca(
2630-
(sizeof(void*) + FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
2633+
(sizeof(void*) + ZEND_FFI_SIZEOF_ARG) * EX_NUM_ARGS(), arg_values_use_heap);
26312634
n = 0;
26322635
if (type->func.args) {
26332636
ZEND_HASH_FOREACH_PTR(type->func.args, arg_type) {
26342637
arg_type = ZEND_FFI_TYPE(arg_type);
2635-
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (FFI_SIZEOF_ARG * n);
2638+
arg_values[n] = ((char*)arg_values) + (sizeof(void*) * EX_NUM_ARGS()) + (ZEND_FFI_SIZEOF_ARG * n);
26362639
if (zend_ffi_pass_arg(EX_VAR_NUM(n), arg_type, &arg_types[n], arg_values, n, execute_data) != SUCCESS) {
26372640
free_alloca(arg_types, arg_types_use_heap);
26382641
free_alloca(arg_values, arg_values_use_heap);

0 commit comments

Comments
 (0)