diff options
| author | Xinchen Hui <laruence@gmail.com> | 2014-02-25 16:54:26 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2014-02-25 16:54:26 +0800 |
| commit | dc2d758c938bab9f377d5e24b86e2db8f158df01 (patch) | |
| tree | d09fe09a5fac224567b9b41263c1034579c671fc | |
| parent | 71dac3d54f8c3dd80d5669846601a6980a7c3067 (diff) | |
| download | php-git-dc2d758c938bab9f377d5e24b86e2db8f158df01.tar.gz | |
Fixed segfaults
| -rw-r--r-- | ext/standard/var.c | 3 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.c | 45 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.re | 15 |
3 files changed, 33 insertions, 30 deletions
diff --git a/ext/standard/var.c b/ext/standard/var.c index fa67905f12..a074ea2c12 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -810,6 +810,7 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var BG(serialize_lock)++; res = call_user_function_ex(CG(function_table), struc, &fname, &retval, 0, 0, 1, NULL TSRMLS_CC); BG(serialize_lock)--; + zval_dtor(&fname); if (EG(exception)) { zval_ptr_dtor(&retval); @@ -830,9 +831,9 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var } return; } + zval_ptr_dtor(&retval); } - zval_ptr_dtor(&retval); /* fall-through */ } case IS_ARRAY: { diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 8d640f7fc8..8c005a5fa6 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -409,10 +409,10 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) BG(serialize_lock)++; call_user_function_ex(CG(function_table), rval, &fname, &retval, 0, 0, 1, NULL TSRMLS_CC); BG(serialize_lock)--; + zval_dtor(&fname); + zval_dtor(&retval); } - zval_ptr_dtor(&retval); - if (EG(exception)) { return 0; } @@ -505,7 +505,7 @@ yy2: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy95; yy3: -#line 785 "ext/standard/var_unserializer.re" +#line 786 "ext/standard/var_unserializer.re" { return 0; } #line 511 "ext/standard/var_unserializer.c" yy4: @@ -550,7 +550,7 @@ yy13: goto yy3; yy14: ++YYCURSOR; -#line 779 "ext/standard/var_unserializer.re" +#line 780 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); @@ -663,12 +663,13 @@ yy20: /* Call unserialize callback */ ZVAL_STRING(&user_func, PG(unserialize_callback_func)); - ZVAL_STR(&args[0], class_name); + + ZVAL_STR(&args[0], STR_COPY(class_name)); BG(serialize_lock)++; if (call_user_function_ex(CG(function_table), NULL, &user_func, &retval, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) { BG(serialize_lock)--; if (EG(exception)) { - STR_FREE(class_name); + STR_RELEASE(class_name); zval_ptr_dtor(&user_func); zval_ptr_dtor(&args[0]); return 0; @@ -683,7 +684,7 @@ yy20: BG(serialize_lock)--; zval_ptr_dtor(&retval); if (EG(exception)) { - STR_FREE(class_name); + STR_RELEASE(class_name); zval_ptr_dtor(&user_func); zval_ptr_dtor(&args[0]); return 0; @@ -711,7 +712,7 @@ yy20: if (ret && incomplete_class) { php_store_class_name(rval, class_name->val, len2); } - STR_FREE(class_name); + STR_RELEASE(class_name); return ret; } @@ -720,11 +721,11 @@ yy20: if (incomplete_class) { php_store_class_name(rval, class_name->val, len2); } - STR_FREE(class_name); + STR_RELEASE(class_name); return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 728 "ext/standard/var_unserializer.c" +#line 729 "ext/standard/var_unserializer.c" yy25: yych = *++YYCURSOR; if (yych <= ',') { @@ -757,7 +758,7 @@ yy27: return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -#line 761 "ext/standard/var_unserializer.c" +#line 762 "ext/standard/var_unserializer.c" yy32: yych = *++YYCURSOR; if (yych == '+') goto yy33; @@ -796,7 +797,7 @@ yy34: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 800 "ext/standard/var_unserializer.c" +#line 801 "ext/standard/var_unserializer.c" yy39: yych = *++YYCURSOR; if (yych == '+') goto yy40; @@ -846,7 +847,7 @@ yy41: ZVAL_STRINGL(rval, str, len); return 1; } -#line 850 "ext/standard/var_unserializer.c" +#line 851 "ext/standard/var_unserializer.c" yy46: yych = *++YYCURSOR; if (yych == '+') goto yy47; @@ -894,7 +895,7 @@ yy48: ZVAL_STRINGL(rval, str, len); return 1; } -#line 898 "ext/standard/var_unserializer.c" +#line 899 "ext/standard/var_unserializer.c" yy53: yych = *++YYCURSOR; if (yych <= '/') { @@ -991,7 +992,7 @@ use_double: ZVAL_DOUBLE(rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 995 "ext/standard/var_unserializer.c" +#line 996 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych <= ',') { @@ -1066,7 +1067,7 @@ yy73: return 1; } -#line 1070 "ext/standard/var_unserializer.c" +#line 1071 "ext/standard/var_unserializer.c" yy76: yych = *++YYCURSOR; if (yych == 'N') goto yy73; @@ -1119,7 +1120,7 @@ yy79: ZVAL_LONG(rval, parse_iv(start + 2)); return 1; } -#line 1123 "ext/standard/var_unserializer.c" +#line 1124 "ext/standard/var_unserializer.c" yy83: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1133,7 +1134,7 @@ yy83: ZVAL_BOOL(rval, parse_iv(start + 2)); return 1; } -#line 1137 "ext/standard/var_unserializer.c" +#line 1138 "ext/standard/var_unserializer.c" yy87: ++YYCURSOR; #line 496 "ext/standard/var_unserializer.re" @@ -1142,7 +1143,7 @@ yy87: ZVAL_NULL(rval); return 1; } -#line 1146 "ext/standard/var_unserializer.c" +#line 1147 "ext/standard/var_unserializer.c" yy89: yych = *++YYCURSOR; if (yych <= ',') { @@ -1188,7 +1189,7 @@ yy91: return 1; } -#line 1192 "ext/standard/var_unserializer.c" +#line 1193 "ext/standard/var_unserializer.c" yy95: yych = *++YYCURSOR; if (yych <= ',') { @@ -1231,9 +1232,9 @@ yy97: return 1; } -#line 1235 "ext/standard/var_unserializer.c" +#line 1236 "ext/standard/var_unserializer.c" } -#line 787 "ext/standard/var_unserializer.re" +#line 788 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index c22f5c0c69..68a2236610 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -413,10 +413,10 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) BG(serialize_lock)++; call_user_function_ex(CG(function_table), rval, &fname, &retval, 0, 0, 1, NULL TSRMLS_CC); BG(serialize_lock)--; + zval_dtor(&fname); + zval_dtor(&retval); } - zval_ptr_dtor(&retval); - if (EG(exception)) { return 0; } @@ -714,12 +714,13 @@ object ":" uiv ":" ["] { /* Call unserialize callback */ ZVAL_STRING(&user_func, PG(unserialize_callback_func)); - ZVAL_STR(&args[0], class_name); + + ZVAL_STR(&args[0], STR_COPY(class_name)); BG(serialize_lock)++; if (call_user_function_ex(CG(function_table), NULL, &user_func, &retval, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) { BG(serialize_lock)--; if (EG(exception)) { - STR_FREE(class_name); + STR_RELEASE(class_name); zval_ptr_dtor(&user_func); zval_ptr_dtor(&args[0]); return 0; @@ -734,7 +735,7 @@ object ":" uiv ":" ["] { BG(serialize_lock)--; zval_ptr_dtor(&retval); if (EG(exception)) { - STR_FREE(class_name); + STR_RELEASE(class_name); zval_ptr_dtor(&user_func); zval_ptr_dtor(&args[0]); return 0; @@ -762,7 +763,7 @@ object ":" uiv ":" ["] { if (ret && incomplete_class) { php_store_class_name(rval, class_name->val, len2); } - STR_FREE(class_name); + STR_RELEASE(class_name); return ret; } @@ -771,7 +772,7 @@ object ":" uiv ":" ["] { if (incomplete_class) { php_store_class_name(rval, class_name->val, len2); } - STR_FREE(class_name); + STR_RELEASE(class_name); return object_common2(UNSERIALIZE_PASSTHRU, elements); } |