Fixed bug #79094 (Crashing when running recursion function)

dstogov · dstogov · commit db7193f31ea9 · 2020-01-31T10:34:04.000+03:00
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -4452,6 +4452,39 @@ static zend_never_inline int ZEND_FASTCALL zend_quick_check_constant(
 	return _zend_quick_get_constant(key, 0, 1 OPLINE_CC EXECUTE_DATA_CC);
 } /* }}} */
 
+#if defined(ZEND_VM_IP_GLOBAL_REG) && ((ZEND_VM_KIND == ZEND_VM_KIND_CALL) || (ZEND_VM_KIND == ZEND_VM_KIND_HYBRID))
+/* Special versions of functions that sets EX(opline) before calling zend_vm_stack_extend() */
+static zend_always_inline zend_execute_data *_zend_vm_stack_push_call_frame_ex(uint32_t used_stack, uint32_t call_info, zend_function *func, uint32_t num_args, void *object_or_called_scope) /* {{{ */
+{
+	zend_execute_data *call = (zend_execute_data*)EG(vm_stack_top);
+
+	ZEND_ASSERT_VM_STACK_GLOBAL;
+
+	if (UNEXPECTED(used_stack > (size_t)(((char*)EG(vm_stack_end)) - (char*)call))) {
+		EX(opline) = opline; /* this is the only difference */
+		call = (zend_execute_data*)zend_vm_stack_extend(used_stack);
+		ZEND_ASSERT_VM_STACK_GLOBAL;
+		zend_vm_init_call_frame(call, call_info | ZEND_CALL_ALLOCATED, func, num_args, object_or_called_scope);
+		return call;
+	} else {
+		EG(vm_stack_top) = (zval*)((char*)call + used_stack);
+		zend_vm_init_call_frame(call, call_info, func, num_args, object_or_called_scope);
+		return call;
+	}
+} /* }}} */
+
+static zend_always_inline zend_execute_data *_zend_vm_stack_push_call_frame(uint32_t call_info, zend_function *func, uint32_t num_args, void *object_or_called_scope) /* {{{ */
+{
+	uint32_t used_stack = zend_vm_calc_used_stack(num_args, func);
+
+	return _zend_vm_stack_push_call_frame_ex(used_stack, call_info,
+		func, num_args, object_or_called_scope);
+} /* }}} */
+#else
+# define _zend_vm_stack_push_call_frame_ex zend_vm_stack_push_call_frame_ex
+# define _zend_vm_stack_push_call_frame    zend_vm_stack_push_call_frame
+#endif
+
 #ifdef ZEND_VM_TRACE_HANDLERS
 # include "zend_vm_trace_handlers.h"
 #elif defined(ZEND_VM_TRACE_MAP)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -3783,7 +3783,7 @@ ZEND_VM_HOT_HANDLER(59, ZEND_INIT_FCALL_BY_NAME, ANY, CONST, NUM|CACHE_SLOT)
 		}
 		CACHE_PTR(opline->result.num, fbc);
 	}
-	call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
+	call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
 	call->prev_execute_data = EX(call);
 	EX(call) = call;
@@ -3946,7 +3946,7 @@ ZEND_VM_HOT_HANDLER(69, ZEND_INIT_NS_FCALL_BY_NAME, ANY, CONST, NUM|CACHE_SLOT)
 		CACHE_PTR(opline->result.num, fbc);
 	}
 
-	call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
+	call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
 	call->prev_execute_data = EX(call);
 	EX(call) = call;
@@ -3976,7 +3976,7 @@ ZEND_VM_HOT_HANDLER(61, ZEND_INIT_FCALL, NUM, CONST, NUM|CACHE_SLOT)
 		CACHE_PTR(opline->result.num, fbc);
 	}
 
-	call = zend_vm_stack_push_call_frame_ex(
+	call = _zend_vm_stack_push_call_frame_ex(
 		opline->op1.num, ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
 	call->prev_execute_data = EX(call);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -2897,7 +2897,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME
 		}
 		CACHE_PTR(opline->result.num, fbc);
 	}
-	call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
+	call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
 	call->prev_execute_data = EX(call);
 	EX(call) = call;
@@ -2984,7 +2984,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_NS_FCALL_BY_N
 		CACHE_PTR(opline->result.num, fbc);
 	}
 
-	call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
+	call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
 	call->prev_execute_data = EX(call);
 	EX(call) = call;
@@ -3014,7 +3014,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_FCALL_SPEC_CO
 		CACHE_PTR(opline->result.num, fbc);
 	}
 
-	call = zend_vm_stack_push_call_frame_ex(
+	call = _zend_vm_stack_push_call_frame_ex(
 		opline->op1.num, ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
 	call->prev_execute_data = EX(call);

Original file line number	Diff line number	Diff line change
`@@ -3783,7 +3783,7 @@ ZEND_VM_HOT_HANDLER(59, ZEND_INIT_FCALL_BY_NAME, ANY, CONST, NUM\|CACHE_SLOT)`
`3783`	`3783`	`}`
`3784`	`3784`	`CACHE_PTR(opline->result.num, fbc);`
`3785`	`3785`	`}`
`3786`		`- call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
	`3786`	`+ call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
`3787`	`3787`	`fbc, opline->extended_value, NULL);`
`3788`	`3788`	`call->prev_execute_data = EX(call);`
`3789`	`3789`	`EX(call) = call;`
`@@ -3946,7 +3946,7 @@ ZEND_VM_HOT_HANDLER(69, ZEND_INIT_NS_FCALL_BY_NAME, ANY, CONST, NUM\|CACHE_SLOT)`
`3946`	`3946`	`CACHE_PTR(opline->result.num, fbc);`
`3947`	`3947`	`}`
`3948`	`3948`
`3949`		`- call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
	`3949`	`+ call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
`3950`	`3950`	`fbc, opline->extended_value, NULL);`
`3951`	`3951`	`call->prev_execute_data = EX(call);`
`3952`	`3952`	`EX(call) = call;`
`@@ -3976,7 +3976,7 @@ ZEND_VM_HOT_HANDLER(61, ZEND_INIT_FCALL, NUM, CONST, NUM\|CACHE_SLOT)`
`3976`	`3976`	`CACHE_PTR(opline->result.num, fbc);`
`3977`	`3977`	`}`
`3978`	`3978`
`3979`		`- call = zend_vm_stack_push_call_frame_ex(`
	`3979`	`+ call = _zend_vm_stack_push_call_frame_ex(`
`3980`	`3980`	`opline->op1.num, ZEND_CALL_NESTED_FUNCTION,`
`3981`	`3981`	`fbc, opline->extended_value, NULL);`
`3982`	`3982`	`call->prev_execute_data = EX(call);`
Original file line number	Diff line number	Diff line change
`@@ -2897,7 +2897,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_FCALL_BY_NAME`
`2897`	`2897`	`}`
`2898`	`2898`	`CACHE_PTR(opline->result.num, fbc);`
`2899`	`2899`	`}`
`2900`		`- call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
	`2900`	`+ call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
`2901`	`2901`	`fbc, opline->extended_value, NULL);`
`2902`	`2902`	`call->prev_execute_data = EX(call);`
`2903`	`2903`	`EX(call) = call;`
`@@ -2984,7 +2984,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_NS_FCALL_BY_N`
`2984`	`2984`	`CACHE_PTR(opline->result.num, fbc);`
`2985`	`2985`	`}`
`2986`	`2986`
`2987`		`- call = zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
	`2987`	`+ call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
`2988`	`2988`	`fbc, opline->extended_value, NULL);`
`2989`	`2989`	`call->prev_execute_data = EX(call);`
`2990`	`2990`	`EX(call) = call;`
`@@ -3014,7 +3014,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_FCALL_SPEC_CO`
`3014`	`3014`	`CACHE_PTR(opline->result.num, fbc);`
`3015`	`3015`	`}`
`3016`	`3016`
`3017`		`- call = zend_vm_stack_push_call_frame_ex(`
	`3017`	`+ call = _zend_vm_stack_push_call_frame_ex(`
`3018`	`3018`	`opline->op1.num, ZEND_CALL_NESTED_FUNCTION,`
`3019`	`3019`	`fbc, opline->extended_value, NULL);`
`3020`	`3020`	`call->prev_execute_data = EX(call);`