Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

patch to fix uninitalized read in runkit_method_copy() #34

Closed
wants to merge 2 commits into from

2 participants

@tony2001

set jmp_addr only for opcodes that actually have it and use it

tony2001 added some commits
@tony2001 tony2001 fix uninitialized read in runkit_method_copy()
set jmp_addr only for opcodes that actually have it and use it
31a6a89
@tony2001 tony2001 Merge git://github.com/zenovich/runkit
* git://github.com/zenovich/runkit:
  Adding and redefining functions and methods, which return references, were fully implemented (#12). New optional argument 'return_ref' of functions runkit_function_add and runkit_function_redefine was introduced. New constant RUNKIT_ACC_RETURN_REFERENCE was introduced for use with functions runkit_method_add and runkit_method_redefine. New tests were added.
  The possible crash on manipulating constants having length less than two characters was eliminated. Functions manipulating constants were corrected to work in PHP5.4, new tests were added.
  All ways of adding and removing magic methods and old-style constructors were reworked and corrected (issue #35). Magic methods __isset, __unset, __callStatic, and __toString are now supported. Functions runkit_class_adopt & runkit_class_emancipate now change class-hierarchy (issue #13). tony2001's patch d63c984 was applied and reworked. New tests were added.
  functions and methods redefining in PHP 5.4 was corrected in all places, new tests were added (#36, #32)
  a fix was added to package.xml
  mad casing of classnames in different versions of PHP
  compilation bug (gcc 4.3+) with definition of internal function was fixed
3c35dda
@zenovich zenovich referenced this pull request from a commit
@tony2001 tony2001 Issue #34:
fix uninitialized read in runkit_method_copy()

set jmp_addr only for opcodes that actually have it and use it

new test was added
48379fa
@zenovich
Owner

merged

@zenovich zenovich closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 11, 2012
  1. @tony2001

    fix uninitialized read in runkit_method_copy()

    tony2001 authored
    set jmp_addr only for opcodes that actually have it and use it
Commits on Sep 18, 2012
  1. @tony2001

    Merge git://github.com/zenovich/runkit

    tony2001 authored
    * git://github.com/zenovich/runkit:
      Adding and redefining functions and methods, which return references, were fully implemented (#12). New optional argument 'return_ref' of functions runkit_function_add and runkit_function_redefine was introduced. New constant RUNKIT_ACC_RETURN_REFERENCE was introduced for use with functions runkit_method_add and runkit_method_redefine. New tests were added.
      The possible crash on manipulating constants having length less than two characters was eliminated. Functions manipulating constants were corrected to work in PHP5.4, new tests were added.
      All ways of adding and removing magic methods and old-style constructors were reworked and corrected (issue #35). Magic methods __isset, __unset, __callStatic, and __toString are now supported. Functions runkit_class_adopt & runkit_class_emancipate now change class-hierarchy (issue #13). tony2001's patch d63c984 was applied and reworked. New tests were added.
      functions and methods redefining in PHP 5.4 was corrected in all places, new tests were added (#36, #32)
      a fix was added to package.xml
      mad casing of classnames in different versions of PHP
      compilation bug (gcc 4.3+) with definition of internal function was fixed
This page is out of date. Refresh to see the latest.
Showing with 56 additions and 17 deletions.
  1. +36 −17 runkit_functions.c
  2. +20 −0 tests/runkit_method_copy_uninit_read.phpt
View
53 runkit_functions.c
@@ -130,7 +130,7 @@ void php_runkit_function_copy_ctor(zend_function *fe, const char *newname, int n
#if PHP_MAJOR_VERSION > 5 || (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 1)
zend_compiled_variable *dupvars;
#endif
- zend_op *opcode_copy;
+ zend_op *opcode_copy, *last_op;
int i;
if (newname) {
@@ -178,6 +178,7 @@ void php_runkit_function_copy_ctor(zend_function *fe, const char *newname, int n
#endif
opcode_copy = safe_emalloc(sizeof(zend_op), fe->op_array.last, 0);
+ last_op = fe->op_array.opcodes + fe->op_array.last;
for(i = 0; i < fe->op_array.last; i++) {
opcode_copy[i] = fe->op_array.opcodes[i];
#if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION < 4) || (PHP_MAJOR_VERSION < 5)
@@ -188,17 +189,23 @@ void php_runkit_function_copy_ctor(zend_function *fe, const char *newname, int n
#endif
#ifdef ZEND_ENGINE_2
} else {
+ switch (opcode_copy[i].opcode) {
+# ifdef ZEND_GOTO
+ case ZEND_GOTO:
+# endif
+ case ZEND_JMP:
#if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 4) || (PHP_MAJOR_VERSION > 5)
- if (opcode_copy[i].op1.jmp_addr >= fe->op_array.opcodes &&
- opcode_copy[i].op1.jmp_addr < fe->op_array.opcodes + fe->op_array.last) {
- opcode_copy[i].op1.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op1.jmp_addr - fe->op_array.opcodes);
- }
+ if (opcode_copy[i].op1.jmp_addr >= fe->op_array.opcodes &&
+ opcode_copy[i].op1.jmp_addr < last_op) {
+ opcode_copy[i].op1.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op1.jmp_addr - fe->op_array.opcodes);
+ }
#else
- if (opcode_copy[i].op1.u.jmp_addr >= fe->op_array.opcodes &&
- opcode_copy[i].op1.u.jmp_addr < fe->op_array.opcodes + fe->op_array.last) {
- opcode_copy[i].op1.u.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op1.u.jmp_addr - fe->op_array.opcodes);
- }
+ if (opcode_copy[i].op1.u.jmp_addr >= fe->op_array.opcodes &&
+ opcode_copy[i].op1.u.jmp_addr < last_op) {
+ opcode_copy[i].op1.u.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op1.u.jmp_addr - fe->op_array.opcodes);
+ }
#endif
+ }
#endif
}
#if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION < 4) || (PHP_MAJOR_VERSION < 5)
@@ -209,17 +216,29 @@ void php_runkit_function_copy_ctor(zend_function *fe, const char *newname, int n
#endif
#ifdef ZEND_ENGINE_2
} else {
+ switch (opcode_copy[i].opcode) {
+ case ZEND_JMPZ:
+ case ZEND_JMPNZ:
+ case ZEND_JMPZ_EX:
+ case ZEND_JMPNZ_EX:
+# ifdef ZEND_JMP_SET
+ case ZEND_JMP_SET:
+# endif
+# ifdef ZEND_JMP_SET_VAR
+ case ZEND_JMP_SET_VAR:
+# endif
#if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 4) || (PHP_MAJOR_VERSION > 5)
- if (opcode_copy[i].op2.jmp_addr >= fe->op_array.opcodes &&
- opcode_copy[i].op2.jmp_addr < fe->op_array.opcodes + fe->op_array.last) {
- opcode_copy[i].op2.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op2.jmp_addr - fe->op_array.opcodes);
- }
+ if (opcode_copy[i].op2.jmp_addr >= fe->op_array.opcodes &&
+ opcode_copy[i].op2.jmp_addr < last_op) {
+ opcode_copy[i].op2.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op2.jmp_addr - fe->op_array.opcodes);
+ }
#else
- if (opcode_copy[i].op2.u.jmp_addr >= fe->op_array.opcodes &&
- opcode_copy[i].op2.u.jmp_addr < fe->op_array.opcodes + fe->op_array.last) {
- opcode_copy[i].op2.u.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op2.u.jmp_addr - fe->op_array.opcodes);
- }
+ if (opcode_copy[i].op2.u.jmp_addr >= fe->op_array.opcodes &&
+ opcode_copy[i].op2.u.jmp_addr < last_op) {
+ opcode_copy[i].op2.u.jmp_addr = opcode_copy + (fe->op_array.opcodes[i].op2.u.jmp_addr - fe->op_array.opcodes);
+ }
#endif
+ }
#endif
}
}
View
20 tests/runkit_method_copy_uninit_read.phpt
@@ -0,0 +1,20 @@
+--TEST--
+runkit_method_copy() causes uninitialized read
+--FILE--
+<?php
+
+runkit_method_copy('test', "new_method", "test", "old_method");
+
+class test
+{
+ function old_method() {
+ if(1)
+ $this->a[] = "b";
+ }
+}
+
+echo "==DONE==\n";
+
+?>
+--EXPECT--
+==DONE==
Something went wrong with that request. Please try again.