Skip to content

Commit

Permalink
Fixed bug #75579 (Interned strings buffer overflow may cause crash)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dstogov
dstogov committed Dec 21, 2017
1 parent 484c11a commit 37bf8bd
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 3 deletions.
4 changes: 3 additions & 1 deletion NEWS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2017 PHP 7.0.28


- Opcache:
. Fixed bug #75579 (Interned strings buffer overflow may cause crash).
(Dmitry)

04 Jan 2017 PHP 7.0.27

Expand Down
32 changes: 30 additions & 2 deletions ext/opcache/zend_file_cache.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,8 +227,17 @@ static void *zend_file_cache_unserialize_interned(zend_string *str, int in_shm)
if (in_shm) {
ret = accel_new_interned_string(str);
if (ret == str) {
/* We have to create new SHM allocated string */
size_t size = _ZSTR_STRUCT_SIZE(ZSTR_LEN(str));
ret = zend_shared_alloc(size);
if (!ret) {
zend_accel_schedule_restart_if_necessary(ACCEL_RESTART_OOM);
LONGJMP(*EG(bailout), FAILURE);
}
memcpy(ret, str, size);
/* String wasn't interned but we will use it as interned anyway */
GC_FLAGS(ret) |= IS_STR_INTERNED | IS_STR_PERMANENT;
GC_REFCOUNT(ret) = 1;
GC_TYPE_INFO(ret) = IS_STRING | ((IS_STR_INTERNED | IS_STR_PERSISTENT | IS_STR_PERMANENT) << 8);
}
} else {
ret = str;
Expand Down Expand Up @@ -1251,6 +1260,7 @@ zend_persistent_script *zend_file_cache_script_load(zend_file_handle *file_handl
zend_accel_hash_entry *bucket;
void *mem, *checkpoint, *buf;
int cache_it = 1;
int ok;

if (!full_path) {
return NULL;
Expand Down Expand Up @@ -1343,6 +1353,7 @@ zend_persistent_script *zend_file_cache_script_load(zend_file_handle *file_handl

if (!ZCG(accel_directives).file_cache_only &&
!ZCSG(restart_in_progress) &&
!ZSMMG(memory_exhausted) &&
accelerator_shm_read_lock() == SUCCESS) {
/* exclusive lock */
zend_shared_alloc_lock();
Expand Down Expand Up @@ -1392,7 +1403,24 @@ zend_persistent_script *zend_file_cache_script_load(zend_file_handle *file_handl
ZCG(mem) = ((char*)mem + info.mem_size);
script = (zend_persistent_script*)((char*)buf + info.script_offset);
script->corrupted = !cache_it; /* used to check if script restored to SHM or process memory */
zend_file_cache_unserialize(script, buf);

ok = 1;
zend_try {
zend_file_cache_unserialize(script, buf);
} zend_catch {
ok = 0;
} zend_end_try();
if (!ok) {
if (cache_it) {
zend_shared_alloc_unlock();
goto use_process_mem;
} else {
zend_arena_release(&CG(arena), checkpoint);
efree(filename);
return NULL;
}
}

script->corrupted = 0;

if (cache_it) {
Expand Down

0 comments on commit 37bf8bd

Please sign in to comment.