Skip to content

Commit

Permalink
Fix use after free on AST expressions in constant declarations
Browse files Browse the repository at this point in the history
  • Loading branch information
@bwoebi
bwoebi committed May 2, 2016
1 parent 014fd89 commit 7c174b6
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 10 deletions.
6 changes: 1 addition & 5 deletions Zend/zend_vm_def.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7170,17 +7170,13 @@ ZEND_VM_HANDLER(143, ZEND_DECLARE_CONST, CONST, CONST)
name = GET_OP1_ZVAL_PTR(BP_VAR_R);
val = GET_OP2_ZVAL_PTR(BP_VAR_R);

ZVAL_COPY_VALUE(&c.value, val);
ZVAL_COPY(&c.value, val);
if (Z_OPT_CONSTANT(c.value)) {
if (UNEXPECTED(zval_update_constant_ex(&c.value, EX(func)->op_array.scope) != SUCCESS)) {
FREE_OP1();
FREE_OP2();
HANDLE_EXCEPTION();
}
} else {
if (UNEXPECTED(Z_OPT_REFCOUNTED(c.value))) {
Z_ADDREF(c.value);
}
}
c.flags = CONST_CS; /* non persistent, case sensetive */
c.name = zend_string_dup(Z_STR_P(name), 0);
Expand Down
6 changes: 1 addition & 5 deletions Zend/zend_vm_execute.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6083,17 +6083,13 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DECLARE_CONST_SPEC_CONST_CONST
name = EX_CONSTANT(opline->op1);
val = EX_CONSTANT(opline->op2);

ZVAL_COPY_VALUE(&c.value, val);
ZVAL_COPY(&c.value, val);
if (Z_OPT_CONSTANT(c.value)) {
if (UNEXPECTED(zval_update_constant_ex(&c.value, EX(func)->op_array.scope) != SUCCESS)) {


HANDLE_EXCEPTION();
}
} else {
if (UNEXPECTED(Z_OPT_REFCOUNTED(c.value))) {
Z_ADDREF(c.value);
}
}
c.flags = CONST_CS; /* non persistent, case sensetive */
c.name = zend_string_dup(Z_STR_P(name), 0);
Expand Down

0 comments on commit 7c174b6

Please sign in to comment.