New implementation (without leaks)

Girgias · Girgias · commit f5efc922d31c · 2019-12-16T06:53:23.000+01:00
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -1571,6 +1571,7 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
 {
 	char *string_value;
 	size_t string_len;
+	zend_long old_len = Z_STRLEN_P(str);
 	zend_long offset;
 
 	offset = zend_check_string_offset(dim, BP_VAR_W EXECUTE_DATA_CC);
@@ -1611,7 +1612,6 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
 
 		if ((size_t)offset >= Z_STRLEN_P(str)) {
 			/* Extend string if needed */
-			zend_long old_len = Z_STRLEN_P(str);
 			ZVAL_NEW_STR(str, zend_string_extend(Z_STR_P(str), offset + 1, 0));
 			memset(Z_STRVAL_P(str) + old_len, ' ', offset - old_len);
 			Z_STRVAL_P(str)[offset+1] = 0;
@@ -1633,61 +1633,42 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
 		return;
 	}
 
+	/* -1 for the byte we are replacing */
+	zend_long new_len = old_len + string_len - 1;
 	if ((size_t)offset >= Z_STRLEN_P(str)) {
-		/* Extend string if needed */
-		zend_long old_len = Z_STRLEN_P(str);
+		/* Extend string */
 		ZVAL_NEW_STR(str, zend_string_extend(Z_STR_P(str), offset + string_len, 0));
 		memset(Z_STRVAL_P(str) + old_len, ' ', offset - old_len);
-		ZVAL_NEW_STR(str, zend_string_init(strcat(Z_STRVAL_P(str), string_value), offset + string_len, 0));
+		memcpy(Z_STRVAL_P(str) + offset, string_value, string_len);
 		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
-			ZVAL_INTERNED_STR(EX_VAR(opline->result.var), zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
+			ZVAL_STR(EX_VAR(opline->result.var), zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
 		}
 		return;
-	} else if (!Z_REFCOUNTED_P(str)) {
-		ZVAL_NEW_STR(str, zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
+	}
+
+	zend_string *tmp = zend_string_init(Z_STRVAL_P(str), new_len, 0);
+	if (string_len > 0) {
+		memcpy(ZSTR_VAL(tmp) + offset, string_value, string_len);
+	}
+	/* Copy after the replacement string, from the position of the initial string after the offset,
+	 * for the remainder of the initial string (old length - offset) */
+	memcpy(ZSTR_VAL(tmp) + offset + string_len, Z_STRVAL_P(str) + offset + 1, old_len - offset);
+
+	if (!Z_REFCOUNTED_P(str)) {
+		ZVAL_NEW_STR(str, zend_string_init(Z_STRVAL_P(str), new_len, 0));
 	} else if (Z_REFCOUNT_P(str) > 1) {
 		Z_DELREF_P(str);
-		ZVAL_NEW_STR(str, zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
+		ZVAL_NEW_STR(str, zend_string_init(Z_STRVAL_P(str), new_len, 0));
 	} else {
 		zend_string_forget_hash_val(Z_STR_P(str));
 	}
+	
+	memcpy(Z_STRVAL_P(str), ZSTR_VAL(tmp), new_len);
+	zend_string_release_ex(tmp, 0);
 
-	// Buffer offset
-	int k = 0;
-	// Source offset
-	int i = 0;
-	char *buffer = emalloc(Z_STRLEN_P(str) + string_len - 1); // -1 as we replace a byte
-	char *source = Z_STRVAL_P(str);
-	// Append bytes from the source string to the buffer until the offset is reached
-	while (i < offset) {
-		buffer[k] = source[i];
-		i++;
-		k++;
-	}
-	i++; // Skip byte being replaced
-	// If not an empty string then append all the bytes from the value to the buffer
-	if (string_len > 0) {
-		int j = 0;
-		while (string_value[j] != '\0') {
-			buffer[k] = string_value[j];
-			j++;
-			k++;
-		}
-	}
-	// Add remaining bytes from the source string.
-	while (source[i] != '\0') {
-		buffer[k] = source[i];
-		i++;
-		k++;
-	}
-	// Append NUL byte to make a valid C string. 
-	buffer[k] = '\0';
-	ZVAL_NEW_STR(str, zend_string_init(buffer, Z_STRLEN_P(str) + string_len - 1, 0));
 	if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
-		ZVAL_INTERNED_STR(EX_VAR(opline->result.var), zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
+		ZVAL_STR(EX_VAR(opline->result.var), zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
 	}
-	
-	efree(buffer);
 }
 
 static zend_property_info *zend_get_prop_not_accepting_double(zend_reference *ref)
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
@@ -862,6 +862,7 @@ static zend_never_inline ZEND_COLD void zend_wrong_string_offset(void)
 static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim, zval *value, zval *result)
 {
 	zend_string *old_str;
+	zend_long old_len = Z_STRLEN_P(str);
 	zend_uchar c;
 	size_t string_len;
 	zend_long offset;
@@ -895,27 +896,63 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
 		c = (zend_uchar)Z_STRVAL_P(value)[0];
 	}
 
-	if (string_len == 0) {
-		/* Error on empty input string */
-		zend_error(E_WARNING, "Cannot assign an empty string to a string offset");
+	if (offset < 0) { /* Handle negative offset */
+		offset += (zend_long)Z_STRLEN_P(str);
+	}
+
+	/* If it's a byte char replace byte directly */
+	if (string_len == 1) {
+		if ((size_t) offset >= Z_STRLEN_P(str)) {
+			/* Extend string if needed */
+			Z_STR_P(str) = zend_string_extend(Z_STR_P(str), offset + 1, 0);
+			Z_TYPE_INFO_P(str) = IS_STRING_EX;
+			memset(Z_STRVAL_P(str) + old_len, ' ', offset - old_len);
+			Z_STRVAL_P(str)[offset + 1] = 0;
+		} else if (!Z_REFCOUNTED_P(str)) {
+			old_str = Z_STR_P(str);
+			Z_STR_P(str) = zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0);
+			Z_TYPE_INFO_P(str) = IS_STRING_EX;
+			zend_string_release(old_str);
+		} else {
+			SEPARATE_STRING(str);
+			zend_string_forget_hash_val(Z_STR_P(str));
+		}
+
+		Z_STRVAL_P(str)[offset] = c;
+
 		if (result) {
-			ZVAL_NULL(result);
+			/* Return the new character */
+			ZVAL_INTERNED_STR(result, ZSTR_CHAR(c));
 		}
 		return;
 	}
 
-	if (offset < 0) { /* Handle negative offset */
-		offset += (zend_long)Z_STRLEN_P(str);
-	}
-
+	/* -1 for the byte we are replacing */
+	zend_long new_len = old_len + string_len - 1;
 	if ((size_t)offset >= Z_STRLEN_P(str)) {
-		/* Extend string if needed */
-		zend_long old_len = Z_STRLEN_P(str);
-		Z_STR_P(str) = zend_string_extend(Z_STR_P(str), offset + 1, 0);
-		Z_TYPE_INFO_P(str) = IS_STRING_EX;
+		old_str = Z_STR_P(str);
+		/* Extend string */
+		ZVAL_NEW_STR(str, zend_string_extend(Z_STR_P(str), offset + string_len, 0));
 		memset(Z_STRVAL_P(str) + old_len, ' ', offset - old_len);
-		Z_STRVAL_P(str)[offset+1] = 0;
-	} else if (!Z_REFCOUNTED_P(str)) {
+		memcpy(Z_STRVAL_P(str) + offset, ZSTR_VAL(old_str), string_len);
+
+		zend_string_release(old_str);
+		if (result) {
+			ZVAL_STR(result, zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
+		}
+		return;
+	}
+
+	old_str = Z_STR_P(str);
+	zend_string *tmp = zend_string_init(Z_STRVAL_P(str), new_len, 0);
+	if (string_len > 0) {
+		memcpy(ZSTR_VAL(tmp) + offset, ZSTR_VAL(old_str), string_len);
+	}
+	/* Copy after the replacement string, from the position of the initial string after the offset,
+	 * for the remainder of the initial string (old length - offset) */
+	memcpy(ZSTR_VAL(tmp) + offset + string_len, Z_STRVAL_P(str) + offset + 1, old_len - offset);
+	
+	if (!Z_REFCOUNTED_P(str)) {
 		old_str = Z_STR_P(str);
 		Z_STR_P(str) = zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0);
 		Z_TYPE_INFO_P(str) = IS_STRING_EX;
@@ -925,11 +962,11 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
 		zend_string_forget_hash_val(Z_STR_P(str));
 	}
 
-	Z_STRVAL_P(str)[offset] = c;
+	memcpy(Z_STRVAL_P(str), ZSTR_VAL(tmp), new_len);
+	zend_string_release_ex(tmp, 0);
 
 	if (result) {
-		/* Return the new character */
-		ZVAL_INTERNED_STR(result, ZSTR_CHAR(c));
+		ZVAL_STR(result, zend_string_init(Z_STRVAL_P(str), Z_STRLEN_P(str), 0));
 	}
 }
 
