Fix GH-17187: unreachable program point in zend_hash #17205
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This extension also needs a bit of cleanup tbh... |
A bunch of different issues: 1) The referenced value is copied without incrementing the refcount. The reason the refcount isn't incremented is because otherwise the array modifications would violate the RC1 constraints. Solve this by copying the reference itself instead and always read the referenced value. 2) No type checks on the array data, so malicious scripts could cause type confusion bugs. 3) Potential overflow when the arrays resize and we access ctag.
devnexen
reviewed
Dec 27, 2024
|
|
||
| xdata = zend_try_array_init(xdata); | ||
| if (!xdata) { | ||
| if (!zend_try_array_init(xdata)) { |
There was a problem hiding this comment.
not entirely certain about these two changes, is it a cleanup thing you re doing here ?
There was a problem hiding this comment.
It's not cleanup, we need the original value of xdata.
xdata is now a reference, but if the return value of zend_try_array_init were used then it would be the array that xdata references to. We need to hold on to the reference, we can't hold on to the array because that would break the RC1 constraint of the array and would also make it impossible to separate it.
devnexen
approved these changes
Dec 27, 2024
charmitro
pushed a commit
to wasix-org/php
that referenced
this pull request
Mar 13, 2025
A bunch of different issues: 1) The referenced value is copied without incrementing the refcount. The reason the refcount isn't incremented is because otherwise the array modifications would violate the RC1 constraints. Solve this by copying the reference itself instead and always read the referenced value. 2) No type checks on the array data, so malicious scripts could cause type confusion bugs. 3) Potential overflow when the arrays resize and we access ctag. Closes phpGH-17205.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A bunch of different issues:
The reason the refcount isn't incremented is because otherwise
the array modifications would violate the RC1 constraints.
Solve this by copying the reference itself instead and always
read the referenced value.
cause type confusion bugs.