Fix segfault array keys

Many thanks to @xXx-caillou-xXx for finding the true root cause and fixing the issue ♥
author: kkadosh 2018-10-05 22:46:23 +0200
committer: jvoisin 2018-10-05 20:46:23 +0000
commit: fc6e2455c5fcc2a5ec365552fb8d89a9c0571154 (patch)
tree: 0e286d6f140a73c84303cd8e888e5752f1525993 /src/sp_sloppy.c
parent: 2805631c6a71f1214906f8889ad6711f89b493f7 (diff)
1 files changed, 30 insertions, 19 deletions
diff --git a/src/sp_sloppy.c b/src/sp_sloppy.c
index ac0cb8a..695d2a3 100644
--- a/src/sp_sloppy.c
+++ b/src/sp_sloppy.c
@@ -36,48 +36,57 @@ ZEND_API zend_op_array* sp_compile_file(zend_file_handle* file_handle,
  return opline;
 }
-static void array_handler(INTERNAL_FUNCTION_PARAMETERS,
-    const char *name, size_t size,
+static void array_handler(INTERNAL_FUNCTION_PARAMETERS, const char* name,
-    zif_handler orig_handler) {
+                          size_t size, zif_handler orig_handler,
+                          const char* spec) {
  zif_handler handler;
  zval func_name;
  zval params[3];
-  zval *value, *array;
+  zval *value, *array = NULL;
-  zend_bool strict;
+  zend_bool strict = 1;
  memset(&params, 0, sizeof(params));
-  zend_parse_parameters(ZEND_NUM_ARGS(), "zz|b", &value, &array, &strict);
+  zend_parse_parameters(ZEND_NUM_ARGS(), spec, &value, &array, &strict);
  ZVAL_COPY(&params[0], value);
-  ZVAL_COPY(&params[1], array);
+  if (array) {
-  ZVAL_BOOL(&params[2], 1);
+    ZVAL_COPY(&params[1], array);
+    ZVAL_BOOL(&params[2], 1);
+  } else {
+                // if there is no array as parameter, don't set strict mode.
+                // check php's implementation for details.
+    ZVAL_BOOL(&params[2], 0);
+  }
  ZVAL_STRING(&func_name, name);
-  handler = zend_hash_str_find_ptr(
+  handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook),
-      SNUFFLEUPAGUS_G(sp_internal_functions_hook), name, size);
+                                   name, size);
-  zend_internal_function *func = zend_hash_str_find_ptr(
+  zend_internal_function* func =
-      CG(function_table), name, size);
+      zend_hash_str_find_ptr(CG(function_table), name, size);
  func->handler = handler;
-  call_user_function(CG(function_table), NULL, &func_name,
+  call_user_function(CG(function_table), NULL, &func_name, return_value, 3,
-      return_value, 3, params);
+                     params);
  func->handler = orig_handler;
 }
 PHP_FUNCTION(sp_in_array) {
  array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "in_array",
-      sizeof("in_array") - 1, PHP_FN(sp_in_array));
+                sizeof("in_array") - 1, PHP_FN(sp_in_array), "zz|b");
 }
 PHP_FUNCTION(sp_array_search) {
  array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "array_search",
-      sizeof("array_search") - 1, PHP_FN(sp_array_search));
+                sizeof("array_search") - 1, PHP_FN(sp_array_search), "zz|b");
 }
 PHP_FUNCTION(sp_array_keys) {
  array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "array_keys",
-      sizeof("array_keys") - 1, PHP_FN(sp_array_keys));
+                sizeof("array_keys") - 1, PHP_FN(sp_array_keys), "z|zb");
 }
 void hook_sloppy() {
@@ -94,6 +103,8 @@ void hook_sloppy() {
  }
  HOOK_FUNCTION("in_array", sp_internal_functions_hook, PHP_FN(sp_in_array));
-  HOOK_FUNCTION("array_search", sp_internal_functions_hook, PHP_FN(sp_array_search));
+  HOOK_FUNCTION("array_search", sp_internal_functions_hook,
-  HOOK_FUNCTION("array_keys", sp_internal_functions_hook, PHP_FN(sp_array_keys));
+                PHP_FN(sp_array_search));
+  HOOK_FUNCTION("array_keys", sp_internal_functions_hook,
+                PHP_FN(sp_array_keys));
 }
author	kkadosh	2018-10-05 22:46:23 +0200
committer	jvoisin	2018-10-05 20:46:23 +0000
commit	fc6e2455c5fcc2a5ec365552fb8d89a9c0571154 (patch)
tree	0e286d6f140a73c84303cd8e888e5752f1525993 /src/sp_sloppy.c
parent	2805631c6a71f1214906f8889ad6711f89b493f7 (diff)

diff --git a/src/sp_sloppy.c b/src/sp_sloppy.c index ac0cb8a..695d2a3 100644 --- a/src/sp_sloppy.c +++ b/src/sp_sloppy.c
@@ -36,48 +36,57 @@ ZEND_API zend_op_array* sp_compile_file(zend_file_handle* file_handle,
36	return opline;	36	return opline;
37	}	37	}
38		38
39	static void array_handler(INTERNAL_FUNCTION_PARAMETERS,	39
40	const char *name, size_t size,	40	static void array_handler(INTERNAL_FUNCTION_PARAMETERS, const char* name,
41	zif_handler orig_handler) {	41	size_t size, zif_handler orig_handler,
		42	const char* spec) {
42	zif_handler handler;	43	zif_handler handler;
43	zval func_name;	44	zval func_name;
44	zval params[3];	45	zval params[3];
45	zval value, array;	46	zval value, array = NULL;
46	zend_bool strict;	47	zend_bool strict = 1;
47		48
48	memset(&params, 0, sizeof(params));	49	memset(&params, 0, sizeof(params));
49	zend_parse_parameters(ZEND_NUM_ARGS(), "zz\|b", &value, &array, &strict);	50
		51	zend_parse_parameters(ZEND_NUM_ARGS(), spec, &value, &array, &strict);
50		52
51	ZVAL_COPY(&params[0], value);	53	ZVAL_COPY(&params[0], value);
52	ZVAL_COPY(&params[1], array);	54	if (array) {
53	ZVAL_BOOL(&params[2], 1);	55	ZVAL_COPY(&params[1], array);
		56	ZVAL_BOOL(&params[2], 1);
		57	} else {
		58	// if there is no array as parameter, don't set strict mode.
		59	// check php's implementation for details.
		60	ZVAL_BOOL(&params[2], 0);
		61	}
		62
54	ZVAL_STRING(&func_name, name);	63	ZVAL_STRING(&func_name, name);
55		64
56	handler = zend_hash_str_find_ptr(	65	handler = zend_hash_str_find_ptr(SNUFFLEUPAGUS_G(sp_internal_functions_hook),
57	SNUFFLEUPAGUS_G(sp_internal_functions_hook), name, size);	66	name, size);
58	zend_internal_function *func = zend_hash_str_find_ptr(	67	zend_internal_function* func =
59	CG(function_table), name, size);	68	zend_hash_str_find_ptr(CG(function_table), name, size);
60	func->handler = handler;	69	func->handler = handler;
61		70
62	call_user_function(CG(function_table), NULL, &func_name,	71	call_user_function(CG(function_table), NULL, &func_name, return_value, 3,
63	return_value, 3, params);	72	params);
64		73
65	func->handler = orig_handler;	74	func->handler = orig_handler;
66	}	75	}
67		76
68	PHP_FUNCTION(sp_in_array) {	77	PHP_FUNCTION(sp_in_array) {
69	array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "in_array",	78	array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "in_array",
70	sizeof("in_array") - 1, PHP_FN(sp_in_array));	79	sizeof("in_array") - 1, PHP_FN(sp_in_array), "zz\|b");
71	}	80	}
72		81
73	PHP_FUNCTION(sp_array_search) {	82	PHP_FUNCTION(sp_array_search) {
74	array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "array_search",	83	array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "array_search",
75	sizeof("array_search") - 1, PHP_FN(sp_array_search));	84	sizeof("array_search") - 1, PHP_FN(sp_array_search), "zz\|b");
76	}	85	}
77		86
78	PHP_FUNCTION(sp_array_keys) {	87	PHP_FUNCTION(sp_array_keys) {
79	array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "array_keys",	88	array_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU, "array_keys",
80	sizeof("array_keys") - 1, PHP_FN(sp_array_keys));	89	sizeof("array_keys") - 1, PHP_FN(sp_array_keys), "z\|zb");
81	}	90	}
82		91
83	void hook_sloppy() {	92	void hook_sloppy() {
@@ -94,6 +103,8 @@ void hook_sloppy() {
94	}	103	}
95		104
96	HOOK_FUNCTION("in_array", sp_internal_functions_hook, PHP_FN(sp_in_array));	105	HOOK_FUNCTION("in_array", sp_internal_functions_hook, PHP_FN(sp_in_array));
97	HOOK_FUNCTION("array_search", sp_internal_functions_hook, PHP_FN(sp_array_search));	106	HOOK_FUNCTION("array_search", sp_internal_functions_hook,
98	HOOK_FUNCTION("array_keys", sp_internal_functions_hook, PHP_FN(sp_array_keys));	107	PHP_FN(sp_array_search));
		108	HOOK_FUNCTION("array_keys", sp_internal_functions_hook,
		109	PHP_FN(sp_array_keys));
99	}	110	}