php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78488 OOB in ZEND_FUNCTION(ffi_trampoline)
Submitted: 2019-09-03 13:45 UTC Modified: 2019-09-03 13:46 UTC
From: cmb@php.net Assigned: dmitry (profile)
Status: Closed Package: Unknown/Other Function
PHP Version: 7.4Git-2019-09-03 (Git) OS: Windows x86
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2019-09-03 13:45 UTC] cmb@php.net 
Description:
------------
As of commit 77a0fa1[1], x86 Windows debug builds signal stack
memory corruption in ZEND_FUNCTION(ffi_trampoline) when running
callconv.phpt.  The culprit is that we're allocating not enough
space[2], since FFI_SIZEOF_ARG is 4 on x86 Windows, but in
zend_ffi_pass_arg() we're copying doubles (and perhaps even wider
values) to that memory.

I'm somewhat confused to have a constant for the argument size,
since at least some call conventions do not have a fixed argument
size to my knowledge, but at least here we must not use this
constant, but rather the maximum size of the supported argument
types.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=77a0fa101ed59f05ea07b03adb1cb66962fc45e7>
[2] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/ffi/ffi.c#L2616-L2617>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-03 13:46 UTC] cmb@php.net
-Assigned To: +Assigned To: dmitry
 [2019-09-03 13:46 UTC] cmb@php.net 
Dmitry, could you please have a look at this?
 [2019-09-04 09:17 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1db0bad6a75eaaa6cc849767ace77dae63678bf4
Log: Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).
 [2019-09-04 09:17 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2019-09-04 09:17 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d03d369fdbb45d87f97b31113c11d3e4c41404cd
Log: Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 10:01:29 2024 UTC