diff options
author | Christopher Jones <sixd@php.net> | 2013-08-30 05:40:30 -0700 |
---|---|---|
committer | Christopher Jones <sixd@php.net> | 2013-08-30 05:40:30 -0700 |
commit | c8b0da6ef74100b476379ba40367c30564da6582 (patch) | |
tree | fe980c5613a78b1861e37ce7c71b7cdbcbc33329 | |
parent | a4ff610e1c140b555d3cb2a7646e8ddfcb6420a7 (diff) | |
parent | 6fab1caa4100cf05fcf485ef0917830ae9f57563 (diff) | |
download | php-git-c8b0da6ef74100b476379ba40367c30564da6582.tar.gz |
Merge branch 'PHP-5.5' of https://git.php.net/repository/php-src into PHP-5.5
* 'PHP-5.5' of https://git.php.net/repository/php-src:
Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
Update NEWS
Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | Zend/tests/bug60598.phpt | 30 | ||||
-rw-r--r-- | Zend/zend_objects_API.c | 5 | ||||
-rw-r--r-- | ext/date/php_date.c | 14 |
4 files changed, 46 insertions, 7 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2013, PHP 5.5.4 - Core: + . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation). + (Laruence) . Improved fputcsv() to allow specifying escape character. . Fixed bug #65490 (Duplicate calls to get lineno & filename for DTRACE_FUNCTION_*). (Chris Jones) @@ -23,6 +25,8 @@ PHP NEWS - Datetime: . Fixed bug #65554 (createFromFormat broken when weekday name is followed by some delimiters). (Valentin Logvinskiy, Stas). + . Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught + by AddressSanitizer). (Remi). - OPCache: . Fixed bug #65561 (Zend Opcache on Solaris 11 x86 needs ZEND_MM_ALIGNMENT=4). diff --git a/Zend/tests/bug60598.phpt b/Zend/tests/bug60598.phpt new file mode 100644 index 0000000000..eeee75a19d --- /dev/null +++ b/Zend/tests/bug60598.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #60598 (cli/apache sapi segfault on objects manipulation) +--FILE-- +<?php +define('OBJECT_COUNT', 10000); + +$containers = array(); + +class Object { + protected $_guid = 0; + public function __construct() { + global $containers; + $this->guid = 1; + $containers[spl_object_hash($this)] = $this; + } + public function __destruct() { + global $containers; + $containers[spl_object_hash($this)] = NULL; + } +} + +for ($i = 0; $i < OBJECT_COUNT; ++$i) { + new Object(); +} + +// You probably won't see this because of the "zend_mm_heap corrupted" +?> +If you see this, try to increase OBJECT_COUNT to 100,000 +--EXPECT-- +If you see this, try to increase OBJECT_COUNT to 100,000 diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 1fe5d0c199..b5dd48f798 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS obj->dtor(obj->object, i TSRMLS_CC); obj = &objects->object_buckets[i].bucket.obj; obj->refcount--; + + if (obj->refcount == 0) { + /* in case gc_collect_cycle is triggered before free_storage */ + GC_REMOVE_ZOBJ_FROM_BUFFER(obj); + } } } } diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 8afe47fbcc..95c68f1a78 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2198,13 +2198,13 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC) /* first we add the date and time in ISO format */ MAKE_STD_ZVAL(zv); ZVAL_STRING(zv, date_format("Y-m-d H:i:s", 12, dateobj->time, 1), 0); - zend_hash_update(props, "date", 5, &zv, sizeof(zval), NULL); + zend_hash_update(props, "date", 5, &zv, sizeof(zv), NULL); /* then we add the timezone name (or similar) */ if (dateobj->time->is_localtime) { MAKE_STD_ZVAL(zv); ZVAL_LONG(zv, dateobj->time->zone_type); - zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zval), NULL); + zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zv), NULL); MAKE_STD_ZVAL(zv); switch (dateobj->time->zone_type) { @@ -2227,7 +2227,7 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC) ZVAL_STRING(zv, dateobj->time->tz_abbr, 1); break; } - zend_hash_update(props, "timezone", 9, &zv, sizeof(zval), NULL); + zend_hash_update(props, "timezone", 9, &zv, sizeof(zv), NULL); } return props; @@ -2305,7 +2305,7 @@ static HashTable *date_object_get_properties_timezone(zval *object TSRMLS_DC) MAKE_STD_ZVAL(zv); ZVAL_LONG(zv, tzobj->type); - zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zval), NULL); + zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zv), NULL); MAKE_STD_ZVAL(zv); switch (tzobj->type) { @@ -2327,7 +2327,7 @@ static HashTable *date_object_get_properties_timezone(zval *object TSRMLS_DC) ZVAL_STRING(zv, tzobj->tzi.z.abbr, 1); break; } - zend_hash_update(props, "timezone", 9, &zv, sizeof(zval), NULL); + zend_hash_update(props, "timezone", 9, &zv, sizeof(zv), NULL); return props; } @@ -2394,7 +2394,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC) #define PHP_DATE_INTERVAL_ADD_PROPERTY(n,f) \ MAKE_STD_ZVAL(zv); \ ZVAL_LONG(zv, (long)intervalobj->diff->f); \ - zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zval), NULL); + zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zv), NULL); PHP_DATE_INTERVAL_ADD_PROPERTY("y", y); PHP_DATE_INTERVAL_ADD_PROPERTY("m", m); @@ -2411,7 +2411,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC) } else { MAKE_STD_ZVAL(zv); ZVAL_FALSE(zv); - zend_hash_update(props, "days", 5, &zv, sizeof(zval), NULL); + zend_hash_update(props, "days", 5, &zv, sizeof(zv), NULL); } PHP_DATE_INTERVAL_ADD_PROPERTY("special_type", special.type); PHP_DATE_INTERVAL_ADD_PROPERTY("special_amount", special.amount); |