Hash serialization: Use actual type alignments when parsing specs.

kohler · kohler · commit fd6ffc861794 · 2020-06-23T17:28:05.000-04:00
Rather than, for instance, assuming __alignof__(uint64_t) == 8.
diff --git a/ext/hash/hash.c b/ext/hash/hash.c
@@ -32,6 +32,15 @@
 
 #include "hash_arginfo.h"
 
+#ifdef PHP_WIN32
+# define __alignof__ __alignof
+#else
+# ifndef HAVE_ALIGNOF
+#  include <stddef.h>
+#  define __alignof__(type) offsetof (struct { char c; type member;}, member)
+# endif
+#endif
+
 HashTable php_hash_hashtable;
 zend_class_entry *php_hashcontext_ce;
 static zend_object_handlers php_hashcontext_handlers;
@@ -115,20 +124,36 @@ PHP_HASH_API int php_hash_copy(const void *ops, void *orig_context, void *dest_c
 /* }}} */
 
 
-static size_t parse_serialize_spec(const char **specp, size_t *pos, size_t *sz) {
-	size_t count;
+static inline size_t align_to(size_t pos, size_t alignment) {
+	size_t offset = pos & (alignment - 1);
+	return pos + (offset ? alignment - offset : 0);
+}
+
+static size_t parse_serialize_spec(const char **specp, size_t *pos, size_t *sz,
+				   size_t *max_alignment) {
+	size_t count, alignment;
 	const char *spec = *specp;
+	/* parse size */
 	if (*spec == 's') {
 		*sz = 2;
+		alignment = __alignof__(uint16_t); /* usually 2 */
 	} else if (*spec == 'l') {
 		*sz = 4;
+		alignment = __alignof__(uint32_t); /* usually 4 */
 	} else if (*spec == 'q') {
 		*sz = 8;
+		alignment = __alignof__(uint64_t); /* usually 8 */
 	} else if (*spec == 'i') {
 		*sz = sizeof(int);
+		alignment = __alignof__(int);      /* usually 4 */
 	} else {
 		*sz = 1;
+		alignment = 1;
 	}
+	/* process alignment */
+	*pos = align_to(*pos, alignment);
+	*max_alignment = *max_alignment < alignment ? alignment : *max_alignment;
+	/* parse count */
 	++spec;
 	if (isdigit((unsigned char) *spec)) {
 		count = 0;
@@ -140,10 +165,6 @@ static size_t parse_serialize_spec(const char **specp, size_t *pos, size_t *sz)
 		count = 1;
 	}
 	*specp = spec;
-	// alignment
-	if (*sz > 1 && (*pos & (*sz - 1)) != 0) {
-		*pos += *sz - (*pos & (*sz - 1));
-	}
 	return count;
 }
 
@@ -184,6 +205,7 @@ static void one_to_buffer(size_t sz, unsigned char *buf, uint64_t val) {
    l[COUNT] -- serialize COUNT 32-bit integers
    q[COUNT] -- serialize COUNT 64-bit integers
    i[COUNT] -- serialize COUNT `int`s
+   -[COUNT] -- skip COUNT bytes
    . (must be last character) -- assert that the hash context has exactly
        this size
    Example: "llllllb64l16." is the spec for an MD5 context: 6 32-bit
@@ -198,14 +220,14 @@ static void one_to_buffer(size_t sz, unsigned char *buf, uint64_t val) {
 
 PHP_HASH_API int php_hash_serialize_spec(const php_hashcontext_object *hash, zend_long *magic, zval *zv, const char *spec) /* {{{ */
 {
-	size_t pos = 0, sz, count;
+	size_t pos = 0, max_alignment = 1, sz, count;
 	unsigned char *buf = (unsigned char *) hash->context;
 	zval tmp;
 	*magic = PHP_HASH_SERIALIZE_MAGIC_SPEC;
 	array_init(zv);
 	while (*spec != '\0' && *spec != '.') {
 		char specch = *spec;
-		count = parse_serialize_spec(&spec, &pos, &sz);
+		count = parse_serialize_spec(&spec, &pos, &sz, &max_alignment);
 		if (pos + count * sz > hash->ops->context_size) {
 			return FAILURE;
 		}
@@ -229,7 +251,7 @@ PHP_HASH_API int php_hash_serialize_spec(const php_hashcontext_object *hash, zen
 			}
 		}
 	}
-	if (*spec == '.' && pos != hash->ops->context_size) {
+	if (*spec == '.' && align_to(pos, max_alignment) != hash->ops->context_size) {
 		return FAILURE;
 	}
 	return SUCCESS;
@@ -244,15 +266,15 @@ PHP_HASH_API int php_hash_serialize_spec(const php_hashcontext_object *hash, zen
 
 PHP_HASH_API int php_hash_unserialize_spec(php_hashcontext_object *hash, zend_long magic, const zval *zv, const char *spec) /* {{{ */
 {
-	size_t pos = 0, sz, count, j = 0;
+	size_t pos = 0, max_alignment = 1, sz, count, j = 0;
 	unsigned char *buf = (unsigned char *) hash->context;
 	zval *elt;
 	if (magic != PHP_HASH_SERIALIZE_MAGIC_SPEC || Z_TYPE_P(zv) != IS_ARRAY) {
 		return FAILURE;
 	}
 	while (*spec != '\0' && *spec != '.') {
 		char specch = *spec;
-		count = parse_serialize_spec(&spec, &pos, &sz);
+		count = parse_serialize_spec(&spec, &pos, &sz, &max_alignment);
 		if (pos + count * sz > hash->ops->context_size) {
 			return -999;
 		}
@@ -289,7 +311,7 @@ PHP_HASH_API int php_hash_unserialize_spec(php_hashcontext_object *hash, zend_lo
 			}
 		}
 	}
-	if (*spec == '.' && pos != hash->ops->context_size) {
+	if (*spec == '.' && align_to(pos, max_alignment) != hash->ops->context_size) {
 		return -999;
 	}
 	return SUCCESS;
diff --git a/ext/hash/php_hash.h b/ext/hash/php_hash.h
@@ -152,10 +152,8 @@ PHP_HASH_API int php_hash_serialize(const php_hashcontext_object *context, zend_
 PHP_HASH_API int php_hash_unserialize(php_hashcontext_object *context, zend_long magic, const zval *zv);
 
 static inline void *php_hash_alloc_context(const php_hash_ops *ops) {
-	void *context = emalloc(ops->context_size);
 	/* Zero out context memory so serialization doesn't expose internals */
-	memset(context, 0, ops->context_size);
-	return context;
+	return ecalloc(1, ops->context_size);
 }
 
 static inline void php_hash_bin2hex(char *out, const unsigned char *in, size_t in_len)
