diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2019-08-08 10:05:59 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2019-08-08 10:05:59 +0300 |
| commit | bff2743caf93332dd4a2ca658f50dc3c1d8cb144 (patch) | |
| tree | e513c948c2d2560be027e92d72cbdd3357bd0f4a | |
| parent | 9ea39d15abef3df259e0aa2974d1c530654aa2b1 (diff) | |
| parent | 358379be22c4e20f4942737e0e90422977355c63 (diff) | |
| download | php-git-bff2743caf93332dd4a2ca658f50dc3c1d8cb144.tar.gz | |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Fixed bug #78379 (Cast to object confuses GC, causes crash)
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/tests/bug78379.phpt | 32 | ||||
| -rw-r--r-- | Zend/zend_object_handlers.c | 5 |
3 files changed, 38 insertions, 0 deletions
@@ -4,6 +4,7 @@ PHP NEWS - Core: . Fixed bug #78363 (Buffer overflow in zendparse). (Nikita) + . Fixed bug #78379 (Cast to object confuses GC, causes crash). (Dmitry) - Curl: . Fixed bug #77946 (Bad cURL resources returned by curl_multi_info_read()). diff --git a/Zend/tests/bug78379.phpt b/Zend/tests/bug78379.phpt new file mode 100644 index 0000000000..e48e9b7ca4 --- /dev/null +++ b/Zend/tests/bug78379.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #78379 (Cast to object confuses GC, causes crash) +--INI-- +opcache.enable=0 +--FILE-- +<?php +class C { + public function __construct() { + $this->p = (object)["x" => [1]]; + } +} +class E { +} +$e = new E; +$e->f = new E; +$e->f->e = $e; +$e->a = new C; +$e = null; +gc_collect_cycles(); +var_dump(new C); +?> +--EXPECTF-- +object(C)#%d (1) { + ["p"]=> + object(stdClass)#%d (1) { + ["x"]=> + array(1) { + [0]=> + int(1) + } + } +} diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 7d200402a9..266c257f79 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -124,6 +124,11 @@ ZEND_API HashTable *zend_std_get_gc(zval *object, zval **table, int *n) /* {{{ * if (zobj->properties) { *table = NULL; *n = 0; + if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1) + && EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) { + GC_DELREF(zobj->properties); + zobj->properties = zend_array_dup(zobj->properties); + } return zobj->properties; } else { *table = zobj->properties_table; |