Merge branch 'PHP-8.3'

* PHP-8.3: [ci skip] NEWS for GH-14626 [ci skip] NEWS for GH-14626 Fix is_zend_ptr() for huge blocks (#14626)
php · Jun 25, 2024 · f7df238 · f7df238
2 parents df6d85a + a5a75ae
commit f7df238
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 11 deletions.
diff --git a/Zend/tests/gh14626.phpt b/Zend/tests/gh14626.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-14626: is_zend_ptr() may crash for non-zend ptrs when huge blocks exist
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+
+// Ensure there is at least one huge_block
+$str = str_repeat('a', 2*1024*1024);
+
+// Check that is_zend_ptr() does not crash
+zend_test_is_zend_ptr(0);
+zend_test_is_zend_ptr(1<<30);
+
+?>
+==DONE==
+--EXPECT--
+==DONE==
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -2654,17 +2654,15 @@ ZEND_API bool is_zend_ptr(const void *ptr)
 		} while (chunk != AG(mm_heap)->main_chunk);
 	}
 
-	if (AG(mm_heap)->huge_list) {
-		zend_mm_huge_list *block = AG(mm_heap)->huge_list;
-
-		do {
-			if (ptr >= (void*)block
-			 && ptr < (void*)((char*)block + block->size)) {
-				return 1;
-			}
-			block = block->next;
-		} while (block != AG(mm_heap)->huge_list);
+	zend_mm_huge_list *block = AG(mm_heap)->huge_list;
+	while (block) {
+		if (ptr >= (void*)block
+				&& ptr < (void*)((char*)block + block->size)) {
+			return 1;
+		}
+		block = block->next;
 	}
+
 	return 0;
 }
 

diff --git a/ext/ffi/tests/gh14626.phpt b/ext/ffi/tests/gh14626.phpt
@@ -0,0 +1,32 @@
+--TEST--
+GH-14626: FFI::free() may crash in is_zend_ptr() when at least one huge block exists and the ptr is non-zend
+--EXTENSIONS--
+ffi
+--SKIPIF--
+<?php
+if (substr(PHP_OS, 0, 3) == 'WIN') die("skip no malloc() on windows");
+?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+
+// Ensure there is at least one huge_block
+$str = str_repeat('a', 2*1024*1024);
+
+$ffi = FFI::cdef(<<<C
+    void *malloc(size_t size);
+C);
+
+$ptr = $ffi->malloc(10);
+$addr = $ffi->cast("uintptr_t", $ffi->cast("char*", $ptr))->cdata;
+
+$ptr = FFI::cdef()->cast("char*", $addr);
+
+// Should not crash in is_zend_ptr()
+FFI::free($ptr);
+
+?>
+==DONE==
+--EXPECT--
+==DONE==
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -814,6 +814,17 @@ static ZEND_FUNCTION(zend_test_cast_fread)
 	}
 }
 
+static ZEND_FUNCTION(zend_test_is_zend_ptr)
+{
+	zend_long addr;
+
+	ZEND_PARSE_PARAMETERS_START(1, 1)
+		Z_PARAM_LONG(addr);
+	ZEND_PARSE_PARAMETERS_END();
+
+	RETURN_BOOL(is_zend_ptr((void*)addr));
+}
+
 static zend_object *zend_test_class_new(zend_class_entry *class_type)
 {
 	zend_object *obj = zend_objects_new(class_type);

diff --git a/ext/zend_test/test.stub.php b/ext/zend_test/test.stub.php
@@ -294,6 +294,8 @@ function zend_test_set_fmode(bool $binary): void {}
 
     /** @param resource $stream */
     function zend_test_cast_fread($stream): void {}
+
+    function zend_test_is_zend_ptr(int $addr): bool {}
 }
 
 namespace ZendTestNS {

diff --git a/ext/zend_test/test_arginfo.h b/ext/zend_test/test_arginfo.h