Skip to content

Commit

Permalink
Fix uninitialized run-time cache when resolving named param defaults
Browse files Browse the repository at this point in the history 
Fixes oss-fuzz #25676.
  • Loading branch information
@nikic
nikic committed Sep 15, 2020
1 parent 3c53732 commit 7e61c2e
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
17 changes: 17 additions & 0 deletions Zend/tests/named_params/runtime_cache_init.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
--TEST--
Uninitialized run-time cache when resolving default values
--FILE--
<?php

class Test {
public static function method($a = FOO, $b = 1) {
echo "a = $a, b = $b\n";
}
}

define('FOO', 42);
call_user_func(['Test', 'method'], b: 0);

?>
--EXPECT--
a = 42, b = 0
4 changes: 4 additions & 0 deletions Zend/zend_execute.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4464,6 +4464,10 @@ ZEND_API zend_result ZEND_FASTCALL zend_handle_undef_args(zend_execute_data *cal
if (EXPECTED(opline->opcode == ZEND_RECV_INIT)) {
zval *default_value = RT_CONSTANT(opline, opline->op2);
if (Z_OPT_TYPE_P(default_value) == IS_CONSTANT_AST) {
if (UNEXPECTED(!RUN_TIME_CACHE(op_array))) {
init_func_run_time_cache(op_array);
}

void *run_time_cache = RUN_TIME_CACHE(op_array);
zval *cache_val =
(zval *) ((char *) run_time_cache + Z_CACHE_SLOT_P(default_value));
Expand Down

0 comments on commit 7e61c2e

Please sign in to comment.