Fix GH-16013 and bug #80857: Big endian issues

ndossche · ndossche · commit 100aa6c68a55 · 2024-12-24T15:22:57.000+01:00
The FFI call return values follow widening rules. We must widen to `ffi_arg` in the case we're handling a return value for types shorter than the machine width. From http://www.chiark.greenend.org.uk/doc/libffi-dev/html/The-Closure-API.html: > In most cases, ret points to an object of exactly the size of the type specified when cif was constructed. > However, integral types narrower than the system register size are widened. > In these cases your program may assume that ret points to an ffi_arg object. If we don't do this, we get wrong values when reading the return values.
diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c
@@ -188,6 +188,22 @@ typedef struct _zend_ffi {
 #define ZEND_FFI_SIZEOF_ARG \
 	MAX(FFI_SIZEOF_ARG, sizeof(double))
 
+/* The FFI call return values follow widening rules.
+ * We must widen to `ffi_arg` in the case we're handling a return value for types shorter than the machine width.
+ * From http://www.chiark.greenend.org.uk/doc/libffi-dev/html/The-Closure-API.html:
+ * > In most cases, ret points to an object of exactly the size of the type specified when cif was constructed.
+ * > However, integral types narrower than the system register size are widened.
+ * > In these cases your program may assume that ret points to an ffi_arg object.
+ */
+#define ZEND_FFI_READ_NARROW(ty, ptr, is_ret) (is_ret ? ((ty) *(ffi_arg *) ptr) : (*(ty *) ptr))
+#define ZEND_FFI_WRITE_NARROW(ty, ptr, val, is_ret) do { \
+	if (is_ret) { \
+		*(ffi_arg *) ptr = (ffi_arg) (ty) val; \
+	} else { \
+		*(ty *) ptr = val; \
+	} \
+} while (0)
+
 typedef struct _zend_ffi_cdata {
 	zend_object            std;
 	zend_ffi_type         *type;
@@ -560,22 +576,22 @@ static zend_always_inline void zend_ffi_cdata_to_zval(zend_ffi_cdata *cdata, voi
 				return;
 #endif
 			case ZEND_FFI_TYPE_UINT8:
-				ZVAL_LONG(rv, *(uint8_t*)ptr);
+				ZVAL_LONG(rv, ZEND_FFI_READ_NARROW(uint8_t, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_SINT8:
-				ZVAL_LONG(rv, *(int8_t*)ptr);
+				ZVAL_LONG(rv, ZEND_FFI_READ_NARROW(int8_t, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_UINT16:
-				ZVAL_LONG(rv, *(uint16_t*)ptr);
+				ZVAL_LONG(rv, ZEND_FFI_READ_NARROW(uint16_t, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_SINT16:
-				ZVAL_LONG(rv, *(int16_t*)ptr);
+				ZVAL_LONG(rv, ZEND_FFI_READ_NARROW(int16_t, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_UINT32:
-				ZVAL_LONG(rv, *(uint32_t*)ptr);
+				ZVAL_LONG(rv, ZEND_FFI_READ_NARROW(uint32_t, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_SINT32:
-				ZVAL_LONG(rv, *(int32_t*)ptr);
+				ZVAL_LONG(rv, ZEND_FFI_READ_NARROW(int32_t, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_UINT64:
 				ZVAL_LONG(rv, *(uint64_t*)ptr);
@@ -584,10 +600,10 @@ static zend_always_inline void zend_ffi_cdata_to_zval(zend_ffi_cdata *cdata, voi
 				ZVAL_LONG(rv, *(int64_t*)ptr);
 				return;
 			case ZEND_FFI_TYPE_BOOL:
-				ZVAL_BOOL(rv, *(uint8_t*)ptr);
+				ZVAL_BOOL(rv, ZEND_FFI_READ_NARROW(uint8_t, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_CHAR:
-				ZVAL_CHAR(rv, *(char*)ptr);
+				ZVAL_CHAR(rv, ZEND_FFI_READ_NARROW(char, ptr, is_ret));
 				return;
 			case ZEND_FFI_TYPE_ENUM:
 				kind = type->enumeration.kind;
@@ -733,7 +749,7 @@ static void zend_ffi_zval_to_bit_field(void *ptr, zend_ffi_field *field, zval *v
 }
 /* }}} */
 
-static zend_always_inline zend_result zend_ffi_zval_to_cdata(void *ptr, zend_ffi_type *type, zval *value) /* {{{ */
+static zend_always_inline zend_result zend_ffi_zval_to_cdata(void *ptr, zend_ffi_type *type, zval *value, bool is_ret) /* {{{ */
 {
 	zend_long lval;
 	double dval;
@@ -746,6 +762,36 @@ static zend_always_inline zend_result zend_ffi_zval_to_cdata(void *ptr, zend_ffi
 		zend_ffi_cdata *cdata = (zend_ffi_cdata*)Z_OBJ_P(value);
 		if (zend_ffi_is_compatible_type(type, ZEND_FFI_TYPE(cdata->type)) &&
 			type->size == ZEND_FFI_TYPE(cdata->type)->size) {
+			if (is_ret && type->size < sizeof(ffi_arg)) {
+again_narrowed:
+				switch (kind) {
+					case ZEND_FFI_TYPE_SINT8:
+						*(ffi_arg *) ptr = (ffi_arg) *(int8_t *) cdata->ptr;
+						return SUCCESS;
+					case ZEND_FFI_TYPE_BOOL:
+					case ZEND_FFI_TYPE_CHAR:
+					case ZEND_FFI_TYPE_UINT8:
+						*(ffi_arg *) ptr = (ffi_arg) *(uint8_t *) cdata->ptr;
+						return SUCCESS;
+					case ZEND_FFI_TYPE_SINT16:
+						*(ffi_arg *) ptr = (ffi_arg) *(int16_t *) cdata->ptr;
+						return SUCCESS;
+					case ZEND_FFI_TYPE_UINT16:
+						*(ffi_arg *) ptr = (ffi_arg) *(uint16_t *) cdata->ptr;
+						return SUCCESS;
+					case ZEND_FFI_TYPE_SINT32:
+						*(ffi_arg *) ptr = (ffi_arg) *(int32_t *) cdata->ptr;
+						return SUCCESS;
+					case ZEND_FFI_TYPE_UINT32:
+						*(ffi_arg *) ptr = (ffi_arg) *(uint32_t *) cdata->ptr;
+						return SUCCESS;
+					case ZEND_FFI_TYPE_ENUM:
+						kind = type->enumeration.kind;
+						goto again_narrowed;
+					default:
+						break;
+				}
+			}
 			memcpy(ptr, cdata->ptr, type->size);
 			return SUCCESS;
 		}
@@ -769,27 +815,27 @@ static zend_always_inline zend_result zend_ffi_zval_to_cdata(void *ptr, zend_ffi
 #endif
 		case ZEND_FFI_TYPE_UINT8:
 			lval = zval_get_long(value);
-			*(uint8_t*)ptr = lval;
+			ZEND_FFI_WRITE_NARROW(uint8_t, ptr, lval, is_ret);
 			break;
 		case ZEND_FFI_TYPE_SINT8:
 			lval = zval_get_long(value);
-			*(int8_t*)ptr = lval;
+			ZEND_FFI_WRITE_NARROW(int8_t, ptr, lval, is_ret);
 			break;
 		case ZEND_FFI_TYPE_UINT16:
 			lval = zval_get_long(value);
-			*(uint16_t*)ptr = lval;
+			ZEND_FFI_WRITE_NARROW(uint16_t, ptr, lval, is_ret);
 			break;
 		case ZEND_FFI_TYPE_SINT16:
 			lval = zval_get_long(value);
-			*(int16_t*)ptr = lval;
+			ZEND_FFI_WRITE_NARROW(int16_t, ptr, lval, is_ret);
 			break;
 		case ZEND_FFI_TYPE_UINT32:
 			lval = zval_get_long(value);
-			*(uint32_t*)ptr = lval;
+			ZEND_FFI_WRITE_NARROW(uint32_t, ptr, lval, is_ret);
 			break;
 		case ZEND_FFI_TYPE_SINT32:
 			lval = zval_get_long(value);
-			*(int32_t*)ptr = lval;
+			ZEND_FFI_WRITE_NARROW(int32_t, ptr, lval, is_ret);
 			break;
 		case ZEND_FFI_TYPE_UINT64:
 			lval = zval_get_long(value);
@@ -800,12 +846,12 @@ static zend_always_inline zend_result zend_ffi_zval_to_cdata(void *ptr, zend_ffi
 			*(int64_t*)ptr = lval;
 			break;
 		case ZEND_FFI_TYPE_BOOL:
-			*(uint8_t*)ptr = zend_is_true(value);
+			ZEND_FFI_WRITE_NARROW(uint8_t, ptr, zend_is_true(value), is_ret);
 			break;
 		case ZEND_FFI_TYPE_CHAR:
 			str = zval_get_tmp_string(value, &tmp_str);
 			if (ZSTR_LEN(str) == 1) {
-				*(char*)ptr = ZSTR_VAL(str)[0];
+				ZEND_FFI_WRITE_NARROW(char, ptr, ZSTR_VAL(str)[0], is_ret);
 			} else {
 				zend_tmp_string_release(tmp_str);
 				zend_ffi_assign_incompatible(value, type);
@@ -984,7 +1030,7 @@ static void zend_ffi_callback_trampoline(ffi_cif* cif, void* ret, void** args, v
 
 	ret_type = ZEND_FFI_TYPE(callback_data->type->func.ret_type);
 	if (ret_type->kind != ZEND_FFI_TYPE_VOID) {
-		zend_ffi_zval_to_cdata(ret, ret_type, &retval);
+		zend_ffi_zval_to_cdata(ret, ret_type, &retval, true);
 	}
 
 	zval_ptr_dtor(&retval);
@@ -1138,7 +1184,7 @@ static zval *zend_ffi_cdata_set(zend_object *obj, zend_string *member, zval *val
 		return &EG(uninitialized_zval);
 	}
 
-	zend_ffi_zval_to_cdata(cdata->ptr, type, value);
+	zend_ffi_zval_to_cdata(cdata->ptr, type, value, false);
 
 	return value;
 }
@@ -1360,7 +1406,7 @@ static zval *zend_ffi_cdata_write_field(zend_object *obj, zend_string *field_nam
 
 	if (EXPECTED(!field->bits)) {
 		ptr = (void*)(((char*)ptr) + field->offset);
-		zend_ffi_zval_to_cdata(ptr, ZEND_FFI_TYPE(field->type), value);
+		zend_ffi_zval_to_cdata(ptr, ZEND_FFI_TYPE(field->type), value, false);
 	} else {
 		zend_ffi_zval_to_bit_field(ptr, field, value);
 	}
@@ -1474,7 +1520,7 @@ static void zend_ffi_cdata_write_dim(zend_object *obj, zval *offset, zval *value
 		return;
 	}
 
-	zend_ffi_zval_to_cdata(ptr, type, value);
+	zend_ffi_zval_to_cdata(ptr, type, value, false);
 }
 /* }}} */
 
@@ -2539,7 +2585,7 @@ static zval *zend_ffi_write_var(zend_object *obj, zend_string *var_name, zval *v
 		return value;
 	}
 
-	zend_ffi_zval_to_cdata(sym->addr, ZEND_FFI_TYPE(sym->type), value);
+	zend_ffi_zval_to_cdata(sym->addr, ZEND_FFI_TYPE(sym->type), value, false);
 	return value;
 }
 /* }}} */
@@ -4016,7 +4062,7 @@ ZEND_METHOD(FFI, cast) /* {{{ */
 			cdata->std.handlers = &zend_ffi_cdata_value_handlers;
 			cdata->type = type_ptr;
 			cdata->ptr = emalloc(type->size);
-			zend_ffi_zval_to_cdata(cdata->ptr, type, zv);
+			zend_ffi_zval_to_cdata(cdata->ptr, type, zv, false);
 			cdata->flags = ZEND_FFI_FLAG_OWNED;
 			if (is_const) {
 				cdata->flags |= ZEND_FFI_FLAG_CONST;
diff --git a/ext/ffi/tests/gh16013.phpt b/ext/ffi/tests/gh16013.phpt
@@ -0,0 +1,137 @@
+--TEST--
+GH-16013 (endianness issue with FFI)
+--EXTENSIONS--
+ffi
+zend_test
+--FILE--
+<?php
+require_once('utils.inc');
+
+$header = <<<HEADER
+enum bug_gh16013_enum {
+	BUG_GH16013_A = 1,
+	BUG_GH16013_B = 2,
+};
+struct bug_gh16013_int_struct {
+	int field;
+};
+struct bug_gh16013_callback_struct {
+	int8_t (*return_int8)(int8_t);
+	uint8_t (*return_uint8)(uint8_t);
+	int16_t (*return_int16)(int16_t);
+	uint16_t (*return_uint16)(uint16_t);
+	int32_t (*return_int32)(int32_t);
+	uint32_t (*return_uint32)(uint32_t);
+	float (*return_float)(float);
+	struct bug_gh16013_int_struct (*return_struct)(struct bug_gh16013_int_struct);
+	enum bug_gh16013_enum (*return_enum)(enum bug_gh16013_enum);
+};
+
+char bug_gh16013_return_char();
+bool bug_gh16013_return_bool();
+short bug_gh16013_return_short();
+int bug_gh16013_return_int();
+enum bug_gh16013_enum bug_gh16013_return_enum();
+struct bug_gh16013_int_struct bug_gh16013_return_struct();
+HEADER;
+
+if (PHP_OS_FAMILY !== 'Windows') {
+    $ffi = FFI::cdef($header);
+} else {
+    try {
+        $ffi = FFI::cdef($header, 'php_zend_test.dll');
+    } catch (FFI\Exception $ex) {
+        $ffi = FFI::cdef($header, ffi_get_php_dll_name());
+    }
+}
+
+echo "--- Return values ---\n";
+var_dump($ffi->bug_gh16013_return_char());
+var_dump($ffi->bug_gh16013_return_bool());
+var_dump($ffi->bug_gh16013_return_short());
+var_dump($ffi->bug_gh16013_return_int());
+var_dump($ffi->bug_gh16013_return_enum());
+var_dump($ffi->bug_gh16013_return_struct());
+
+echo "--- Callback values ---\n";
+$bug_gh16013_callback_struct = $ffi->new('struct bug_gh16013_callback_struct');
+$bug_gh16013_callback_struct->return_int8 = function($val) use($ffi) {
+    $cdata = $ffi->new('int8_t');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+$bug_gh16013_callback_struct->return_uint8 = function($val) use($ffi) {
+    $cdata = $ffi->new('uint8_t');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+$bug_gh16013_callback_struct->return_int16 = function($val) use($ffi) {
+    $cdata = $ffi->new('int16_t');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+$bug_gh16013_callback_struct->return_uint16 = function($val) use($ffi) {
+    $cdata = $ffi->new('uint16_t');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+$bug_gh16013_callback_struct->return_int32 = function($val) use($ffi) {
+    $cdata = $ffi->new('int32_t');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+$bug_gh16013_callback_struct->return_uint32 = function($val) use($ffi) {
+    $cdata = $ffi->new('uint32_t');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+$bug_gh16013_callback_struct->return_float = function($val) use($ffi) {
+    $cdata = $ffi->new('float');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+$bug_gh16013_callback_struct->return_struct = function($val) use($ffi) {
+    return $val;
+};
+$bug_gh16013_callback_struct->return_enum = function($val) use($ffi) {
+    $cdata = $ffi->new('enum bug_gh16013_enum');
+    $cdata->cdata = $val;
+    return $cdata;
+};
+
+var_dump(($bug_gh16013_callback_struct->return_int8)(-4));
+var_dump(($bug_gh16013_callback_struct->return_uint8)(4));
+var_dump(($bug_gh16013_callback_struct->return_int16)(-10000));
+var_dump(($bug_gh16013_callback_struct->return_uint16)(10000));
+var_dump(($bug_gh16013_callback_struct->return_int32)(-100000));
+var_dump(($bug_gh16013_callback_struct->return_uint32)(100000));
+var_dump(($bug_gh16013_callback_struct->return_float)(12.34));
+$struct = $ffi->new('struct bug_gh16013_int_struct');
+$struct->field = 10;
+var_dump(($bug_gh16013_callback_struct->return_struct)($struct));
+var_dump(($bug_gh16013_callback_struct->return_enum)($ffi->BUG_GH16013_B));
+?>
+--EXPECT--
+--- Return values ---
+string(1) "A"
+bool(true)
+int(12345)
+int(123456789)
+int(2)
+object(FFI\CData:struct bug_gh16013_int_struct)#2 (1) {
+  ["field"]=>
+  int(123456789)
+}
+--- Callback values ---
+int(-4)
+int(4)
+int(-10000)
+int(10000)
+int(-100000)
+int(100000)
+float(12.34000015258789)
+object(FFI\CData:struct bug_gh16013_int_struct)#13 (1) {
+  ["field"]=>
+  int(10)
+}
+int(2)
diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
@@ -1449,6 +1449,41 @@ PHP_ZEND_TEST_API void bug_gh9090_void_int_char_var(int i, char *fmt, ...) {
 
 PHP_ZEND_TEST_API int gh11934b_ffi_var_test_cdata;
 
+enum bug_gh16013_enum {
+	BUG_GH16013_A = 1,
+	BUG_GH16013_B = 2,
+};
+
+struct bug_gh16013_int_struct {
+	int field;
+};
+
+PHP_ZEND_TEST_API char bug_gh16013_return_char(void) {
+	return 'A';
+}
+
+PHP_ZEND_TEST_API bool bug_gh16013_return_bool(void) {
+	return true;
+}
+
+PHP_ZEND_TEST_API short bug_gh16013_return_short(void) {
+	return 12345;
+}
+
+PHP_ZEND_TEST_API int bug_gh16013_return_int(void) {
+	return 123456789;
+}
+
+PHP_ZEND_TEST_API enum bug_gh16013_enum bug_gh16013_return_enum(void) {
+	return BUG_GH16013_B;
+}
+
+PHP_ZEND_TEST_API struct bug_gh16013_int_struct bug_gh16013_return_struct(void) {
+	struct bug_gh16013_int_struct ret;
+	ret.field = 123456789;
+	return ret;
+}
+
 #ifdef HAVE_COPY_FILE_RANGE
 /**
  * This function allows us to simulate early return of copy_file_range by setting the limit_copy_file_range ini setting.
