diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2018-09-28 12:56:47 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2018-09-28 12:56:47 +0200 |
| commit | 45cdcb2d0be89fe7bc404dd150240ec83f5de401 (patch) | |
| tree | 55b01bfa963376a7942d824c723ae5e3202ee1a6 | |
| parent | b5d0eb44c0c1a452a82054e860e8c6a9420ac5df (diff) | |
| download | php-git-45cdcb2d0be89fe7bc404dd150240ec83f5de401.tar.gz | |
Fixed bug #76846
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug76846.phpt | 27 | ||||
| -rw-r--r-- | Zend/zend_objects_API.c | 6 |
3 files changed, 33 insertions, 2 deletions
@@ -5,6 +5,8 @@ PHP NEWS - Core: . Fixed bug #76901 (method_exists on SPL iterator passthrough method corrupts memory). (Nikita) + . Fixed bug #76846 (Segfault in shutdown function after memory limit error). + (Nikita) - CURL: . Fixed bug #76480 (Use curl_multi_wait() so that timeouts are respected). diff --git a/Zend/tests/bug76846.phpt b/Zend/tests/bug76846.phpt new file mode 100644 index 0000000000..c167a8bb78 --- /dev/null +++ b/Zend/tests/bug76846.phpt @@ -0,0 +1,27 @@ +--TEST-- +Bug #76846: Segfault in shutdown function after memory limit error +--INI-- +memory_limit=33M +--SKIPIF-- +<?php +$zend_mm_enabled = getenv("USE_ZEND_ALLOC"); +if ($zend_mm_enabled === "0") { + die("skip Zend MM disabled"); +} +?> +--FILE-- +<?php + +register_shutdown_function(function() { + new stdClass; +}); + +$ary = []; +while (true) { + $ary[] = new stdClass; +} + +?> +--EXPECTF-- +Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d +%A diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 54d8d51456..cbb637c549 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -116,8 +116,10 @@ ZEND_API void zend_objects_store_put(zend_object *object) EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]); } else { if (EG(objects_store).top == EG(objects_store).size) { - EG(objects_store).size <<= 1; - EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, EG(objects_store).size * sizeof(zend_object*)); + uint32_t new_size = 2 * EG(objects_store).size; + EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, new_size * sizeof(zend_object*)); + /* Assign size after realloc, in case it fails */ + EG(objects_store).size = new_size; } handle = EG(objects_store).top++; } |