Description
Struct zend_string is defined as a flexible array
|
struct _zend_string { |
|
zend_refcounted_h gc; |
|
zend_ulong h; /* hash value */ |
|
size_t len; |
|
char val[1]; |
|
}; |
and used in the middle of another struct
zend_accel_globals
|
zend_string key; |
|
char _key[MAXPATHLEN * 8]; |
The offset of array header zend_string::val and the following wrapped array zend_accel_globals::_key are not aligned.
According to the output of pahole on x86_64,
struct _zend_string {
zend_refcounted_h gc; /* 0 8 */
zend_ulong h; /* 8 8 */
size_t len; /* 16 8 */
char val[1]; /* 24 1 */
/* size: 32, cachelines: 1, members: 4 */
/* padding: 7 */
/* last cacheline: 32 bytes */
};
struct _zend_accel_globals {
/* omitted for simplicity */
zend_string key; /* 400 32 */
char _key[32768]; /* 432 32768 */
/* size: 33200, cachelines: 519, members: 25 */
/* sum members: 33187, holes: 4, sum holes: 13 */
/* last cacheline: 48 bytes */
};the offset of key is 400, so its val starts from 424; whereas the offset of _key is 432.
There is a padding of 7 bytes between them.
This means that for a pointer p of type zend_accel_globals, p->key.val[1] is not p->_key[0].
When these two fields are used together, it will lead to unexpected behaviors.
Although, with a brief search with clang-query, I did not find any usages of these two fields.
I think this problem is still worth notification.
report-id: 250106-1639:7
PHP Version
latest version
Operating System
Debian 11
Description
Struct
zend_stringis defined as a flexible arrayphp-src/Zend/zend_types.h
Lines 373 to 378 in c2fddac
and used in the middle of another struct
zend_accel_globalsphp-src/ext/opcache/ZendAccelerator.h
Lines 227 to 228 in c2fddac
The offset of array header
zend_string::valand the following wrapped arrayzend_accel_globals::_keyare not aligned.According to the output of
paholeon x86_64,the offset of
keyis 400, so itsvalstarts from 424; whereas the offset of_keyis 432.There is a padding of 7 bytes between them.
This means that for a pointer
pof typezend_accel_globals,p->key.val[1]is notp->_key[0].When these two fields are used together, it will lead to unexpected behaviors.
Although, with a brief search with
clang-query, I did not find any usages of these two fields.I think this problem is still worth notification.
report-id: 250106-1639:7
PHP Version
latest version
Operating System
Debian 11