Merge branch 'PHP-8.2' into PHP-8.3

arnaud-lb · arnaud-lb · commit bc57c77fa22e · 2024-06-25T15:15:46.000+02:00
* PHP-8.2: [ci skip] NEWS for GH-14626 Fix is_zend_ptr() for huge blocks (#14626)
diff --git a/Zend/tests/gh14626.phpt b/Zend/tests/gh14626.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-14626: is_zend_ptr() may crash for non-zend ptrs when huge blocks exist
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+
+// Ensure there is at least one huge_block
+$str = str_repeat('a', 2*1024*1024);
+
+// Check that is_zend_ptr() does not crash
+zend_test_is_zend_ptr(0);
+zend_test_is_zend_ptr(1<<30);
+
+?>
+==DONE==
+--EXPECT--
+==DONE==
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -2469,17 +2469,15 @@ ZEND_API bool is_zend_ptr(const void *ptr)
 		} while (chunk != AG(mm_heap)->main_chunk);
 	}
 
-	if (AG(mm_heap)->huge_list) {
-		zend_mm_huge_list *block = AG(mm_heap)->huge_list;
-
-		do {
-			if (ptr >= (void*)block
-			 && ptr < (void*)((char*)block + block->size)) {
-				return 1;
-			}
-			block = block->next;
-		} while (block != AG(mm_heap)->huge_list);
+	zend_mm_huge_list *block = AG(mm_heap)->huge_list;
+	while (block) {
+		if (ptr >= (void*)block
+				&& ptr < (void*)((char*)block + block->size)) {
+			return 1;
+		}
+		block = block->next;
 	}
+
 	return 0;
 }
 
diff --git a/ext/ffi/tests/gh14626.phpt b/ext/ffi/tests/gh14626.phpt
@@ -0,0 +1,32 @@
+--TEST--
+GH-14626: FFI::free() may crash in is_zend_ptr() when at least one huge block exists and the ptr is non-zend
+--EXTENSIONS--
+ffi
+--SKIPIF--
+<?php
+if (substr(PHP_OS, 0, 3) == 'WIN') die("skip no malloc() on windows");
+?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+
+// Ensure there is at least one huge_block
+$str = str_repeat('a', 2*1024*1024);
+
+$ffi = FFI::cdef(<<<C
+    void *malloc(size_t size);
+C);
+
+$ptr = $ffi->malloc(10);
+$addr = $ffi->cast("uintptr_t", $ffi->cast("char*", $ptr))->cdata;
+
+$ptr = FFI::cdef()->cast("char*", $addr);
+
+// Should not crash in is_zend_ptr()
+FFI::free($ptr);
+
+?>
+==DONE==
+--EXPECT--
+==DONE==
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -782,6 +782,17 @@ static ZEND_FUNCTION(zend_test_cast_fread)
 	}
 }
 
+static ZEND_FUNCTION(zend_test_is_zend_ptr)
+{
+	zend_long addr;
+
+	ZEND_PARSE_PARAMETERS_START(1, 1)
+		Z_PARAM_LONG(addr);
+	ZEND_PARSE_PARAMETERS_END();
+
+	RETURN_BOOL(is_zend_ptr((void*)addr));
+}
+
 static zend_object *zend_test_class_new(zend_class_entry *class_type)
 {
 	zend_object *obj = zend_objects_new(class_type);
diff --git a/ext/zend_test/test.stub.php b/ext/zend_test/test.stub.php
@@ -253,6 +253,8 @@ function zend_test_set_fmode(bool $binary): void {}
 
     /** @param resource $stream */
     function zend_test_cast_fread($stream): void {}
+
+    function zend_test_is_zend_ptr(int $addr): bool {}
 }
 
 namespace ZendTestNS {
diff --git a/ext/zend_test/test_arginfo.h b/ext/zend_test/test_arginfo.h

Original file line number	Diff line number	Diff line change
`@@ -782,6 +782,17 @@ static ZEND_FUNCTION(zend_test_cast_fread)`
`782`	`782`	`}`
`783`	`783`	`}`
`784`	`784`
	`785`	`+static ZEND_FUNCTION(zend_test_is_zend_ptr)`
	`786`	`+{`
	`787`	`+ zend_long addr;`
	`788`	`+`
	`789`	`+ ZEND_PARSE_PARAMETERS_START(1, 1)`
	`790`	`+ Z_PARAM_LONG(addr);`
	`791`	`+ ZEND_PARSE_PARAMETERS_END();`
	`792`	`+`
	`793`	`+ RETURN_BOOL(is_zend_ptr((void*)addr));`
	`794`	`+}`
	`795`	`+`
`785`	`796`	`static zend_object zend_test_class_new(zend_class_entry class_type)`
`786`	`797`	`{`
`787`	`798`	`zend_object *obj = zend_objects_new(class_type);`
Original file line number	Diff line number	Diff line change
`@@ -253,6 +253,8 @@ function zend_test_set_fmode(bool $binary): void {}`
`253`	`253`
`254`	`254`	`/** @param resource $stream */`
`255`	`255`	`function zend_test_cast_fread($stream): void {}`
	`256`	`+`
	`257`	`+ function zend_test_is_zend_ptr(int $addr): bool {}`
`256`	`258`	`}`
`257`	`259`
`258`	`260`	`namespace ZendTestNS {`