Fix is_zend_ptr() huge block comparison

nielsdos · nielsdos · commit 18674e39ad12 · 2024-11-26T19:24:05.000+01:00
We should compare the block memory, not the block metadata (See zend_mm_add_huge_block). This caused random test failure for ext/ffi/tests/gh14626.phpt when the malloc() performed by the FFI code lies close to the block metadata, and the size of the block is large enough. This was reported by #16902 (comment) Closes GH-16938.
diff --git a/NEWS b/NEWS
@@ -14,6 +14,7 @@ PHP                                                                        NEWS
     (nielsdos)
   . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
     (nielsdos)
+  . Fix is_zend_ptr() huge block comparison. (nielsdos)
 
 - FPM:
   . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -2457,8 +2457,8 @@ ZEND_API bool is_zend_ptr(const void *ptr)
 
 	zend_mm_huge_list *block = AG(mm_heap)->huge_list;
 	while (block) {
-		if (ptr >= (void*)block
-				&& ptr < (void*)((char*)block + block->size)) {
+		if (ptr >= block->ptr
+				&& ptr < (void*)((char*)block->ptr + block->size)) {
 			return 1;
 		}
 		block = block->next;
