From b4fb66463bb5c71a30ceed196734e81629e5a6cd Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 24 Oct 2022 15:02:05 +0200 Subject: [PATCH 1/4] Update new test to use EXTENSIONS section instead of SKIPIF --- ext/gd/tests/bug81739.phpt | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt index cc2a90381bab4..b340aa7c07580 100644 --- a/ext/gd/tests/bug81739.phpt +++ b/ext/gd/tests/bug81739.phpt @@ -1,9 +1,7 @@ --TEST-- Bug #81739 (OOB read due to insufficient validation in imageloadfont()) ---SKIPIF-- - +--EXTENSIONS-- +gd --FILE-- Date: Mon, 24 Oct 2022 15:17:18 +0100 Subject: [PATCH 2/4] Fix OpCache build after 0b0259a418b78c05cd5cd23f756582615d9b5918 The intersection type needs to be marked as being allocated on the arena otherwise zend_persist_type() tries to free it and corrupts the Zend MM Heap Also we only need to allocate the space for a list of size 1 and not the whole length of the intersection type --- Zend/zend_compile.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index b4be1ebb8e9a8..5243eb608f333 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -6522,23 +6522,25 @@ static zend_type zend_compile_typename( ZEND_ASSERT(list->children == type_list->num_types); - ZEND_TYPE_FULL_MASK(type) |= _ZEND_TYPE_ARENA_BIT; /* An implicitly nullable intersection type needs to be converted to a DNF type */ if (force_allow_null) { zend_type intersection_type = ZEND_TYPE_INIT_NONE(0); ZEND_TYPE_SET_LIST(intersection_type, type_list); ZEND_TYPE_FULL_MASK(intersection_type) |= _ZEND_TYPE_INTERSECTION_BIT; + ZEND_TYPE_FULL_MASK(intersection_type) |= _ZEND_TYPE_ARENA_BIT; - zend_type_list *dnf_type_list = zend_arena_alloc(&CG(arena), ZEND_TYPE_LIST_SIZE(list->children)); + zend_type_list *dnf_type_list = zend_arena_alloc(&CG(arena), ZEND_TYPE_LIST_SIZE(1)); dnf_type_list->num_types = 1; dnf_type_list->types[0] = intersection_type; ZEND_TYPE_SET_LIST(type, dnf_type_list); /* Inform that the type list is a DNF type */ ZEND_TYPE_FULL_MASK(type) |= _ZEND_TYPE_UNION_BIT; + ZEND_TYPE_FULL_MASK(type) |= _ZEND_TYPE_ARENA_BIT; } else { ZEND_TYPE_SET_LIST(type, type_list); /* Inform that the type list is an intersection type */ ZEND_TYPE_FULL_MASK(type) |= _ZEND_TYPE_INTERSECTION_BIT; + ZEND_TYPE_FULL_MASK(type) |= _ZEND_TYPE_ARENA_BIT; } } else { type = zend_compile_single_typename(ast); From af75eaf9bf87a2775e7d44ca4ddba6a44973390d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Mon, 24 Oct 2022 19:42:55 +0200 Subject: [PATCH 3/4] opcache: fix syntax error introduced in 261a08af65168e24c43a81321284f3f461f3500d (#9821) --- ext/opcache/jit/zend_jit_arm64.dasc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/opcache/jit/zend_jit_arm64.dasc b/ext/opcache/jit/zend_jit_arm64.dasc index e436ffcaa82ec..3b7c3cb9fcc5c 100644 --- a/ext/opcache/jit/zend_jit_arm64.dasc +++ b/ext/opcache/jit/zend_jit_arm64.dasc @@ -11545,7 +11545,7 @@ static int zend_jit_fetch_dim(dasm_State **Dst, |.cold_code |2: | SET_EX_OPLINE opline, REG0 - if (if (opline->opcode != ZEND_FETCH_DIM_RW) { + if (opline->opcode != ZEND_FETCH_DIM_RW) { | EXT_CALL zend_jit_prepare_assign_dim_ref, REG0 } | mov FCARG1x, RETVALx From 598a126976953cf4bd0e7a0ed5dff10677565600 Mon Sep 17 00:00:00 2001 From: Florian Sowade Date: Mon, 24 Oct 2022 13:39:55 +0200 Subject: [PATCH 4/4] Initialize run time cache in PDO methods Without the memset the memory was uninitialized and the new test segfaulted when accessing the memory in _zend_observe_fcall_begin(). --- ext/pdo/pdo_dbh.c | 6 ++- .../observer_sqlite_create_function.phpt | 51 +++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 ext/zend_test/tests/observer_sqlite_create_function.phpt diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c index 2c56459a62772..a640a1b78d2d3 100644 --- a/ext/pdo/pdo_dbh.c +++ b/ext/pdo/pdo_dbh.c @@ -1254,7 +1254,11 @@ bool pdo_hash_methods(pdo_dbh_object_t *dbh_obj, int kind) func.function_name = zend_string_init(funcs->fname, strlen(funcs->fname), dbh->is_persistent); func.scope = dbh_obj->std.ce; func.prototype = NULL; - ZEND_MAP_PTR(func.run_time_cache) = rt_cache_size ? pemalloc(rt_cache_size, dbh->is_persistent) : NULL; + ZEND_MAP_PTR(func.run_time_cache) = NULL; + if (rt_cache_size > 0) { + ZEND_MAP_PTR(func.run_time_cache) = pemalloc(rt_cache_size, dbh->is_persistent); + memset(ZEND_MAP_PTR(func.run_time_cache), 0, rt_cache_size); + } func.T = ZEND_OBSERVER_ENABLED; if (funcs->flags) { func.fn_flags = funcs->flags | ZEND_ACC_NEVER_CACHE; diff --git a/ext/zend_test/tests/observer_sqlite_create_function.phpt b/ext/zend_test/tests/observer_sqlite_create_function.phpt new file mode 100644 index 0000000000000..85d269c9ead1a --- /dev/null +++ b/ext/zend_test/tests/observer_sqlite_create_function.phpt @@ -0,0 +1,51 @@ +--TEST-- +Observer: PDO::sqliteCreateFunction() can be observed +--EXTENSIONS-- +zend_test +PDO +pdo_sqlite +--INI-- +zend_test.observer.enabled=1 +zend_test.observer.observe_all=1 +--FILE-- +sqliteCreateFunction('returnOne', 'returnOne', 0); + +foreach ($db->query('SELECT returnOne()') as $row) { + var_dump($row); +} + +echo 'Done' . PHP_EOL; +?> +--EXPECTF-- + + + + + + + + + + + + + + + + +array(2) { + ["returnOne()"]=> + int(1) + [0]=> + int(1) +} + +Done +