#
96bf925c |
| 02-Jul-2021 |
Nikita Popov |
Fix return value of wrong fucntion by-ref assign We should be using the result of zend_assign_to_variable() here, which will deref prior to potential freeing. Fixes oss-fuzz #29
Fix return value of wrong fucntion by-ref assign We should be using the result of zend_assign_to_variable() here, which will deref prior to potential freeing. Fixes oss-fuzz #29899.
show more ...
|
#
82f6f6da |
| 31-May-2021 |
Nikita Popov |
Fixed bug #81090 For concatenation, the in-place variant can be much more efficient, because it will reallocate the string in-place. Special-case the typed property compound assignme
Fixed bug #81090 For concatenation, the in-place variant can be much more efficient, because it will reallocate the string in-place. Special-case the typed property compound assignment code for the case where we concatenate to a string, in which case we know that the result will also be a string, and we don't need the type check anyway.
show more ...
|
#
97f8ca52 |
| 25-Apr-2021 |
George Peter Banyard |
Fix Bug #80972: Memory exhaustion on invalid string offset Closes GH-6909
|
#
39d8fc1e |
| 31-Mar-2021 |
Dmitry Stogov |
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
|
#
6dd85f83 |
| 22-Feb-2021 |
Nikita Popov |
Fixed bug #80781 zend_find_array_dim_slow() may throw, make sure to handle this. This backports the code we already use for this on PHP-8.0, and also backports an exception check tha
Fixed bug #80781 zend_find_array_dim_slow() may throw, make sure to handle this. This backports the code we already use for this on PHP-8.0, and also backports an exception check that makes this easier to catch.
show more ...
|
#
7b7d9983 |
| 15-Feb-2021 |
Nikita Popov |
Fix symtable cache being used while cleaning symtable We need to first clean the symtable and then check whether a cache slot is available for it. Otherwise, it may happen that a destruc
Fix symtable cache being used while cleaning symtable We need to first clean the symtable and then check whether a cache slot is available for it. Otherwise, it may happen that a destructor runs while cleaning the table and uses up all the remaining slots in the cache. This is particularly insidious because once we overflow the cache, the first pointer we modify is symtable_cache_ptr, making it hard to understand what happened after the fact. Fixes oss-fuzz #30815.
show more ...
|
#
a07c1f56 |
| 02-Sep-2020 |
Nikita Popov |
Fix infinite loop on string offset during by-ref list assign There is a deeper underlying issue here, in that the opcodes violate VM write-fetch safety, but let's fix the infinite loop f
Fix infinite loop on string offset during by-ref list assign There is a deeper underlying issue here, in that the opcodes violate VM write-fetch safety, but let's fix the infinite loop first. This fixes oss-fuzz #25352.
show more ...
|
#
247105ae |
| 26-Aug-2020 |
Nikita Popov |
Property handle read_property exception in fetch_property_address Otherwise we leak (and corrupt uninitialized_zval).
|
#
2d087210 |
| 10-Aug-2020 |
Nikita Popov |
Fixed bug #79947 Move the FREE_OP for op_data out of the zend_binary_assign_op_dim_slow() slow path, so it can be used by the other error path as well. This makes ASSIGN_DIM_OP struc
Fixed bug #79947 Move the FREE_OP for op_data out of the zend_binary_assign_op_dim_slow() slow path, so it can be used by the other error path as well. This makes ASSIGN_DIM_OP structurally more similar to ASSIGN_DIM.
show more ...
|
#
77acc8a0 |
| 07-Jul-2020 |
Nikita Popov |
Fixed bug #79793 Make sure the string key is not released while throwing the undefined index warning.
|
#
62bec0e0 |
| 07-Jul-2020 |
Nikita Popov |
Fixed bug #79784 The fix here is essentially the same as for bug #78598, just for the undefined variable notice, rather than the undefined index one.
|
#
220880ad |
| 04-Feb-2020 |
Nikita Popov |
Fixed bug #78598 When performing an RW modification of an array offset, the undefined offset warning may call an error handler / OB callback, which may destroy the array we're suppos
Fixed bug #78598 When performing an RW modification of an array offset, the undefined offset warning may call an error handler / OB callback, which may destroy the array we're supposed to change. Detect this by temporarily incrementing the reference count. If we find that the array has been modified/destroyed in the meantime, we do nothing -- the execution model here would be that the modification has happened on the destroyed version of the array.
show more ...
|
#
6a9d934b |
| 07-Jul-2020 |
Nikita Popov |
Fixed bug #79779 ASSIGN_OBJ_REF was not handling in zend_wrong_string_offset.
|
#
314ab47e |
| 26-May-2020 |
Nikita Popov |
Fix zend_assign_to_typed_ref() implementation There was some confusion going on here regarding the original value vs the copied value. I've dropped the needs_copy variable, beca
Fix zend_assign_to_typed_ref() implementation There was some confusion going on here regarding the original value vs the copied value. I've dropped the needs_copy variable, because this code is not inlined, so it would always be true anyway. What we need to do is perform a move-assignment of the copied value (in which case we don't care about performing the assignment before destroying garbage), and destroying the original value for the VAR/TMP cases. This is a bit complicated by the fact that references are passed in via a separate ref variable, so we can't just ptr_dtor the original variable.
show more ...
|
#
cf68bc41 |
| 02-Apr-2020 |
Nikita Popov |
Fixed bug #79434
|
#
5d0ef4c2 |
| 06-Feb-2020 |
Dmitry Stogov |
Make opcodes to return de-refereced values of typed references (in the same was as for non-typed)
|
#
db7193f3 |
| 31-Jan-2020 |
Dmitry Stogov |
Fixed bug #79094 (Crashing when running recursion function)
|
#
f77747b0 |
| 30-Dec-2019 |
Nikita Popov |
Properly propagate url_stat exceptions during include Make sure we abort operations early, and that we don't emit additional warnings or errors if an exception has been thrown.
|
#
527ad1d8 |
| 19-Dec-2019 |
Nikita Popov |
Avoid signed integer overflow in string offset check Cast to size_t before performing operations instead of afterwards.
|
#
df08d6bf |
| 18-Dec-2019 |
Nikita Popov |
Fix leak in assign_ref with function As far as I can see, the retval copying is already done in all callers of this function, so it should not be duplicated here.
|
#
0301ab70 |
| 18-Dec-2019 |
Nikita Popov |
Fix const/cv freeing on failed reference assignment
|
#
03d1c788 |
| 09-Dec-2019 |
Dmitry Stogov |
Export zend_init_func_run_time_cache()
|
Revision tags: php-7.3.13RC1, php-7.2.26RC1, php-7.4.0, php-7.2.25, php-7.3.12, php-7.4.0RC6, php-7.3.12RC1, php-7.2.25RC1, php-7.4.0RC5 |
|
#
f8413887 |
| 23-Oct-2019 |
Nikita Popov |
Don't autoload when checking property types Noticed while working on union types: We do not load argument and return types during type checks, but we do load property types. I'm
Don't autoload when checking property types Noticed while working on union types: We do not load argument and return types during type checks, but we do load property types. I'm normalizing the behavior towards the existing status quo (not loading), though we may consider loading everywhere (all types, and instanceof) in order to properly support class aliases.
show more ...
|
Revision tags: php-7.1.33, php-7.2.24, php-7.3.11, php-7.4.0RC4 |
|
#
5a076e67 |
| 10-Oct-2019 |
Nikita Popov |
Return error_zval form get_property_ptr_ptr on exception This goes in the reverse direction of 4463acb9513dfb62206760c49b3da1fe4d92f40a. After looking around a bit, it seems that we alre
Return error_zval form get_property_ptr_ptr on exception This goes in the reverse direction of 4463acb9513dfb62206760c49b3da1fe4d92f40a. After looking around a bit, it seems that we already check for Z_ISERROR_P() on the get_property_ptr_ptr return value in other places. So do this in zend_fetch_property_address() as well, and also make sure that EG(error_zval) is indeed returned on exception in get_property_ptr_ptr. In particular, this fixes the duplicate exceptions that we used to get because first get_property_ptr_ptr threw one and then read_property throws the same exception again.
show more ...
|
#
4463acb9 |
| 10-Oct-2019 |
Nikita Popov |
Explicitly check for exceptions in by-ref obj prop assign Relying on setting ERROR if an exception happened during the property address fetch is both a bit fragile and may pessimize
Explicitly check for exceptions in by-ref obj prop assign Relying on setting ERROR if an exception happened during the property address fetch is both a bit fragile and may pessimize other codepaths that will check for exceptions in the VM. Adding an extra exception check instead, which should also allow us to drop the use of ERROR in this area in master.
show more ...
|