Fixed a possible information leak because of interruption of XOR operator

dstogov · dstogov · commit 4ae16d351c5e · 2010-05-12T11:10:06.000Z
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -965,8 +965,10 @@ ZEND_API int div_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ *
 ZEND_API int mod_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ */
 {
 	zval op1_copy, op2_copy;
+	long op1_lval;
 
 	zendi_convert_to_long(op1, op1_copy, result);
+	op1_lval = Z_LVAL_P(op1);
 	zendi_convert_to_long(op2, op2_copy, result);
 
 	if (Z_LVAL_P(op2) == 0) {
@@ -981,18 +983,20 @@ ZEND_API int mod_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ *
 		return SUCCESS;
 	}
 
-	ZVAL_LONG(result, Z_LVAL_P(op1) % Z_LVAL_P(op2));
+	ZVAL_LONG(result, op1_lval % Z_LVAL_P(op2));
 	return SUCCESS;
 }
 /* }}} */
 
 ZEND_API int boolean_xor_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ */
 {
 	zval op1_copy, op2_copy;
+	long op1_lval;
 
 	zendi_convert_to_boolean(op1, op1_copy, result);
+	op1_lval = Z_LVAL_P(op1);
 	zendi_convert_to_boolean(op2, op2_copy, result);
-	ZVAL_BOOL(result, Z_LVAL_P(op1) ^ Z_LVAL_P(op2));
+	ZVAL_BOOL(result, op1_lval ^ Z_LVAL_P(op2));
 	return SUCCESS;
 }
 /* }}} */
@@ -1038,6 +1042,7 @@ ZEND_API int bitwise_not_function(zval *result, zval *op1 TSRMLS_DC) /* {{{ */
 ZEND_API int bitwise_or_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ */
 {
 	zval op1_copy, op2_copy;
+	long op1_lval;
 
 	if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
 		zval *longer, *shorter;
@@ -1066,16 +1071,18 @@ ZEND_API int bitwise_or_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /
 		return SUCCESS;
 	}
 	zendi_convert_to_long(op1, op1_copy, result);
+	op1_lval = Z_LVAL_P(op1);
 	zendi_convert_to_long(op2, op2_copy, result);
 
-	ZVAL_LONG(result, Z_LVAL_P(op1) | Z_LVAL_P(op2));
+	ZVAL_LONG(result, op1_lval | Z_LVAL_P(op2));
 	return SUCCESS;
 }
 /* }}} */
 
 ZEND_API int bitwise_and_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ */
 {
 	zval op1_copy, op2_copy;
+	long op1_lval;
 
 	if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
 		zval *longer, *shorter;
@@ -1106,16 +1113,18 @@ ZEND_API int bitwise_and_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
 
 
 	zendi_convert_to_long(op1, op1_copy, result);
+	op1_lval = Z_LVAL_P(op1);
 	zendi_convert_to_long(op2, op2_copy, result);
 
-	ZVAL_LONG(result, Z_LVAL_P(op1) & Z_LVAL_P(op2));
+	ZVAL_LONG(result, op1_lval & Z_LVAL_P(op2));
 	return SUCCESS;
 }
 /* }}} */
 
 ZEND_API int bitwise_xor_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ */
 {
 	zval op1_copy, op2_copy;
+	long op1_lval;
 
 	if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
 		zval *longer, *shorter;
@@ -1145,31 +1154,36 @@ ZEND_API int bitwise_xor_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
 	}
 
 	zendi_convert_to_long(op1, op1_copy, result);
+	op1_lval = Z_LVAL_P(op1);
 	zendi_convert_to_long(op2, op2_copy, result);
 
-	ZVAL_LONG(result, Z_LVAL_P(op1) ^ Z_LVAL_P(op2));
+	ZVAL_LONG(result, op1_lval ^ Z_LVAL_P(op2));
 	return SUCCESS;
 }
 /* }}} */
 
 ZEND_API int shift_left_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ */
 {
 	zval op1_copy, op2_copy;
+	long op1_lval;
 
 	zendi_convert_to_long(op1, op1_copy, result);
+	op1_lval = Z_LVAL_P(op1);
 	zendi_convert_to_long(op2, op2_copy, result);
-	ZVAL_LONG(result, Z_LVAL_P(op1) << Z_LVAL_P(op2));
+	ZVAL_LONG(result, op1_lval << Z_LVAL_P(op2));
 	return SUCCESS;
 }
 /* }}} */
 
 ZEND_API int shift_right_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{ */
 {
 	zval op1_copy, op2_copy;
+	long op1_lval;
 
 	zendi_convert_to_long(op1, op1_copy, result);
+	op1_lval = Z_LVAL_P(op1);
 	zendi_convert_to_long(op2, op2_copy, result);
-	ZVAL_LONG(result, Z_LVAL_P(op1) >> Z_LVAL_P(op2));
+	ZVAL_LONG(result, op1_lval >> Z_LVAL_P(op2));
 	return SUCCESS;
 }
 /* }}} */
