SplHeap: Avoid memcpy on overlapping pointer

weltling · weltling · commit afe14236e3f1 · 2020-06-21T22:53:46.000+02:00
Check if data would overlap and also add an assert. Previous
implementations didn't have this issue, as the direct assignment was
used.

Signed-off-by: Anatol Belski &lt;ab@php.net&gt;
diff --git a/ext/spl/spl_heap.c b/ext/spl/spl_heap.c
@@ -98,6 +98,7 @@ static zend_always_inline void *spl_heap_elem(spl_ptr_heap *heap, size_t i) {
 }
 
 static zend_always_inline void spl_heap_elem_copy(spl_ptr_heap *heap, void *to, void *from) {
+	assert(to != from);
 	memcpy(to, from, heap->elem_size);
 }
 
@@ -333,7 +334,10 @@ static int spl_ptr_heap_delete_top(spl_ptr_heap *heap, void *elem, void *cmp_use
 		heap->flags |= SPL_HEAP_CORRUPTED;
 	}
 
-	spl_heap_elem_copy(heap, spl_heap_elem(heap, i), bottom);
+	void *to = spl_heap_elem(heap, i);
+	if (to != bottom) {
+		spl_heap_elem_copy(heap, to, bottom);
+	}
 	return SUCCESS;
 }
 /* }}} */

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,7 @@ static zend_always_inline void spl_heap_elem(spl_ptr_heap heap, size_t i) {`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`static zend_always_inline void spl_heap_elem_copy(spl_ptr_heap heap, void to, void *from) {`
	`101`	`+ assert(to != from);`
`101`	`102`	`memcpy(to, from, heap->elem_size);`
`102`	`103`	`}`
`103`	`104`
`@@ -333,7 +334,10 @@ static int spl_ptr_heap_delete_top(spl_ptr_heap heap, void elem, void *cmp_use`
`333`	`334`	`heap->flags \|= SPL_HEAP_CORRUPTED;`
`334`	`335`	`}`
`335`	`336`
`336`		`- spl_heap_elem_copy(heap, spl_heap_elem(heap, i), bottom);`
	`337`	`+ void *to = spl_heap_elem(heap, i);`
	`338`	`+ if (to != bottom) {`
	`339`	`+ spl_heap_elem_copy(heap, to, bottom);`
	`340`	`+ }`
`337`	`341`	`return SUCCESS;`
`338`	`342`	`}`
`339`	`343`	`/* }}} */`