Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit 466c8b0e0308 · 2024-12-26T12:26:59.000+01:00
* PHP-8.4: Fix GH-17257: UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c Fix GH-17223: Memory leak in libxml encoding handling
diff --git a/ext/dom/tests/gh17223.phpt b/ext/dom/tests/gh17223.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-17223 (Memory leak in libxml encoding handling)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$doc = new DOMDocument("1.0", "Shift-JIS");
+@$doc->save("%00");
+echo "Done\n";
+?>
+--EXPECT--
+Done
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
@@ -562,11 +562,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	char *unescaped = NULL;
 
 	if (URI == NULL)
-		return(NULL);
+		goto err;
 
 	if (strstr(URI, "%00")) {
 		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
-		return NULL;
+		goto err;
 	}
 
 	puri = xmlParseURI(URI);
@@ -587,7 +587,7 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	}
 
 	if (context == NULL) {
-		return(NULL);
+		goto err;
 	}
 
 	/* Allocate the Output buffer front-end. */
@@ -599,6 +599,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	}
 
 	return(ret);
+
+err:
+	/* Similarly to __xmlOutputBufferCreateFilename we should also close the encoder on failure. */
+	xmlCharEncCloseFunc(encoder);
+	return NULL;
 }
 
 static void php_libxml_free_error(void *ptr)
diff --git a/ext/opcache/jit/zend_jit_internal.h b/ext/opcache/jit/zend_jit_internal.h
@@ -231,6 +231,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_func_counter_helper(ZEND_OPCODE_H
 ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_loop_counter_helper(ZEND_OPCODE_HANDLER_ARGS);
 
 void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D);
+void ZEND_FASTCALL zend_jit_copy_extra_args_helper_no_skip_recv(EXECUTE_DATA_D);
 bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D);
 void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D);
 void ZEND_FASTCALL zend_jit_undefined_long_key_ex(zend_long key EXECUTE_DATA_DC);
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -3053,6 +3053,7 @@ static void zend_jit_setup_disasm(void)
 	REGISTER_HELPER(zend_jit_undefined_long_key_ex);
 	REGISTER_HELPER(zend_jit_undefined_string_key);
 	REGISTER_HELPER(zend_jit_copy_extra_args_helper);
+	REGISTER_HELPER(zend_jit_copy_extra_args_helper_no_skip_recv);
 	REGISTER_HELPER(zend_jit_vm_stack_free_args_helper);
 	REGISTER_HELPER(zend_free_extra_named_params);
 	REGISTER_HELPER(zend_jit_free_call_frame);
@@ -10292,6 +10293,7 @@ static int zend_jit_do_fcall(zend_jit_ctx *jit, const zend_op *opline, const zen
 					}
 				}
 			} else {
+				ir_ref helper;
 				if (!trace || (trace->op == ZEND_JIT_TRACE_END
 				 && trace->stop >= ZEND_JIT_TRACE_STOP_INTERPRETER)) {
 					ir_ref ip;
@@ -10305,11 +10307,14 @@ static int zend_jit_do_fcall(zend_jit_ctx *jit, const zend_op *opline, const zen
 						ip = ir_LOAD_A(ir_ADD_OFFSET(func_ref, offsetof(zend_op_array, opcodes)));
 					}
 					jit_LOAD_IP(jit, ip);
+					helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper);
+				} else {
+					helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper_no_skip_recv);
 				}
 				if (GCC_GLOBAL_REGS) {
-					ir_CALL(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper));
+					ir_CALL(IR_VOID, helper);
 				} else {
-					ir_CALL_1(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper), jit_FP(jit));
+					ir_CALL_1(IR_VOID, helper, jit_FP(jit));
 				}
 			}
 		} else {
diff --git a/ext/opcache/jit/zend_jit_vm_helpers.c b/ext/opcache/jit/zend_jit_vm_helpers.c
@@ -120,7 +120,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_leave_func_helper(EXECUTE_DATA_D)
 	}
 }
 
-void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
+static void ZEND_FASTCALL zend_jit_copy_extra_args_helper_ex(bool skip_recv EXECUTE_DATA_DC)
 {
 	zend_op_array *op_array = &EX(func)->op_array;
 
@@ -130,7 +130,7 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
 		zval *end, *src, *dst;
 		uint32_t type_flags = 0;
 
-		if (EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) {
+		if (skip_recv && EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) {
 			/* Skip useless ZEND_RECV and ZEND_RECV_INIT opcodes */
 #ifdef HAVE_GCC_GLOBAL_REGS
 			opline += first_extra_arg;
@@ -166,6 +166,16 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
 	}
 }
 
+void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
+{
+	zend_jit_copy_extra_args_helper_ex(true EXECUTE_DATA_CC);
+}
+
+void ZEND_FASTCALL zend_jit_copy_extra_args_helper_no_skip_recv(EXECUTE_DATA_D)
+{
+	zend_jit_copy_extra_args_helper_ex(false EXECUTE_DATA_CC);
+}
+
 bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D)
 {
 	zend_execute_data *call = (zend_execute_data *) opline;
diff --git a/ext/opcache/tests/jit/gh17257.phpt b/ext/opcache/tests/jit/gh17257.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-17257 (SEGV ext/opcache/jit/zend_jit_vm_helpers.c)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit_buffer_size=32M
+opcache.jit=1254
+opcache.jit_hot_func=1
+--FILE--
+<?php
+function get_const() {
+}
+function test() {
+    call_user_func('get_const', 1); // need an extra arg to trigger the issue
+}
+function main(){
+    for ($i = 0; $i < 10; $i++) {
+        test();
+    }
+    echo "Done\n";
+}
+main();
+?>
+--EXPECT--
+Done

Original file line number	Diff line number	Diff line change
`@@ -562,11 +562,11 @@ php_libxml_output_buffer_create_filename(const char *URI,`
`562`	`562`	`char *unescaped = NULL;`
`563`	`563`
`564`	`564`	`if (URI == NULL)`
`565`		`- return(NULL);`
	`565`	`+ goto err;`
`566`	`566`
`567`	`567`	`if (strstr(URI, "%00")) {`
`568`	`568`	`php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");`
`569`		`- return NULL;`
	`569`	`+ goto err;`
`570`	`570`	`}`
`571`	`571`
`572`	`572`	`puri = xmlParseURI(URI);`
`@@ -587,7 +587,7 @@ php_libxml_output_buffer_create_filename(const char *URI,`
`587`	`587`	`}`
`588`	`588`
`589`	`589`	`if (context == NULL) {`
`590`		`- return(NULL);`
	`590`	`+ goto err;`
`591`	`591`	`}`
`592`	`592`
`593`	`593`	`/* Allocate the Output buffer front-end. */`
`@@ -599,6 +599,11 @@ php_libxml_output_buffer_create_filename(const char *URI,`
`599`	`599`	`}`
`600`	`600`
`601`	`601`	`return(ret);`
	`602`	`+`
	`603`	`+err:`
	`604`	`+ /* Similarly to __xmlOutputBufferCreateFilename we should also close the encoder on failure. */`
	`605`	`+ xmlCharEncCloseFunc(encoder);`
	`606`	`+ return NULL;`
`602`	`607`	`}`
`603`	`608`
`604`	`609`	`static void php_libxml_free_error(void *ptr)`
Original file line number	Diff line number	Diff line change
`@@ -3053,6 +3053,7 @@ static void zend_jit_setup_disasm(void)`
`3053`	`3053`	`REGISTER_HELPER(zend_jit_undefined_long_key_ex);`
`3054`	`3054`	`REGISTER_HELPER(zend_jit_undefined_string_key);`
`3055`	`3055`	`REGISTER_HELPER(zend_jit_copy_extra_args_helper);`
	`3056`	`+ REGISTER_HELPER(zend_jit_copy_extra_args_helper_no_skip_recv);`
`3056`	`3057`	`REGISTER_HELPER(zend_jit_vm_stack_free_args_helper);`
`3057`	`3058`	`REGISTER_HELPER(zend_free_extra_named_params);`
`3058`	`3059`	`REGISTER_HELPER(zend_jit_free_call_frame);`
`@@ -10292,6 +10293,7 @@ static int zend_jit_do_fcall(zend_jit_ctx jit, const zend_op opline, const zen`
`10292`	`10293`	`}`
`10293`	`10294`	`}`
`10294`	`10295`	`} else {`
	`10296`	`+ ir_ref helper;`
`10295`	`10297`	`if (!trace \|\| (trace->op == ZEND_JIT_TRACE_END`
`10296`	`10298`	`&& trace->stop >= ZEND_JIT_TRACE_STOP_INTERPRETER)) {`
`10297`	`10299`	`ir_ref ip;`
`@@ -10305,11 +10307,14 @@ static int zend_jit_do_fcall(zend_jit_ctx jit, const zend_op opline, const zen`
`10305`	`10307`	`ip = ir_LOAD_A(ir_ADD_OFFSET(func_ref, offsetof(zend_op_array, opcodes)));`
`10306`	`10308`	`}`
`10307`	`10309`	`jit_LOAD_IP(jit, ip);`
	`10310`	`+ helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper);`
	`10311`	`+ } else {`
	`10312`	`+ helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper_no_skip_recv);`
`10308`	`10313`	`}`
`10309`	`10314`	`if (GCC_GLOBAL_REGS) {`
`10310`		`- ir_CALL(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper));`
	`10315`	`+ ir_CALL(IR_VOID, helper);`
`10311`	`10316`	`} else {`
`10312`		`- ir_CALL_1(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper), jit_FP(jit));`
	`10317`	`+ ir_CALL_1(IR_VOID, helper, jit_FP(jit));`
`10313`	`10318`	`}`
`10314`	`10319`	`}`
`10315`	`10320`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_leave_func_helper(EXECUTE_DATA_D)`
`120`	`120`	`}`
`121`	`121`	`}`
`122`	`122`
`123`		`-void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)`
	`123`	`+static void ZEND_FASTCALL zend_jit_copy_extra_args_helper_ex(bool skip_recv EXECUTE_DATA_DC)`
`124`	`124`	`{`
`125`	`125`	`zend_op_array *op_array = &EX(func)->op_array;`
`126`	`126`
`@@ -130,7 +130,7 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)`
`130`	`130`	`zval end, src, *dst;`
`131`	`131`	`uint32_t type_flags = 0;`
`132`	`132`
`133`		`- if (EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) {`
	`133`	`+ if (skip_recv && EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) {`
`134`	`134`	`/* Skip useless ZEND_RECV and ZEND_RECV_INIT opcodes */`
`135`	`135`	`#ifdef HAVE_GCC_GLOBAL_REGS`
`136`	`136`	`opline += first_extra_arg;`
`@@ -166,6 +166,16 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)`
`166`	`166`	`}`
`167`	`167`	`}`
`168`	`168`
	`169`	`+void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)`
	`170`	`+{`
	`171`	`+ zend_jit_copy_extra_args_helper_ex(true EXECUTE_DATA_CC);`
	`172`	`+}`
	`173`	`+`
	`174`	`+void ZEND_FASTCALL zend_jit_copy_extra_args_helper_no_skip_recv(EXECUTE_DATA_D)`
	`175`	`+{`
	`176`	`+ zend_jit_copy_extra_args_helper_ex(false EXECUTE_DATA_CC);`
	`177`	`+}`
	`178`	`+`
`169`	`179`	`bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D)`
`170`	`180`	`{`
`171`	`181`	`zend_execute_data call = (zend_execute_data ) opline;`