- Notifications
You must be signed in to change notification settings - Fork8k
Description
Description
Structzend_string is defined as a flexible array
Lines 373 to 378 inc2fddac
| struct_zend_string { | |
| zend_refcounted_hgc; | |
| zend_ulongh;/* hash value */ | |
| size_tlen; | |
| charval[1]; | |
| }; |
and used in the middle of another struct
zend_accel_globalsphp-src/ext/opcache/ZendAccelerator.h
Lines 227 to 228 inc2fddac
| zend_stringkey; | |
| char_key[MAXPATHLEN*8]; |
The offset of array headerzend_string::val and the following wrapped arrayzend_accel_globals::_key are not aligned.
According to the output ofpahole on x86_64,
struct_zend_string {zend_refcounted_hgc;/* 0 8 */zend_ulongh;/* 8 8 */size_tlen;/* 16 8 */charval[1];/* 24 1 *//* size: 32, cachelines: 1, members: 4 *//* padding: 7 *//* last cacheline: 32 bytes */};struct_zend_accel_globals {/* omitted for simplicity */zend_stringkey;/* 400 32 */char_key[32768];/* 432 32768 *//* size: 33200, cachelines: 519, members: 25 *//* sum members: 33187, holes: 4, sum holes: 13 *//* last cacheline: 48 bytes */};
the offset ofkey is 400, so itsval starts from 424; whereas the offset of_key is 432.
There is a padding of 7 bytes between them.
This means that for a pointerp of typezend_accel_globals,p->key.val[1] is notp->_key[0].
When these two fields are used together, it will lead to unexpected behaviors.
Although, with a brief search withclang-query, I did not find any usages of these two fields.
I think this problem is still worth notification.
report-id: 250106-1639:7
PHP Version
latest version
Operating System
Debian 11