summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDmitry Stogov <dmitry@zend.com>2019-08-08 10:00:39 +0300
committerDmitry Stogov <dmitry@zend.com>2019-08-08 10:00:39 +0300
commit358379be22c4e20f4942737e0e90422977355c63 (patch)
tree7d8c424b49f944ddf8aefcc2583bee8269df86dd
parent954543cec629c3c5d42c2d62228dd68604bb6b19 (diff)
downloadphp-git-358379be22c4e20f4942737e0e90422977355c63.tar.gz
Fixed bug #78379 (Cast to object confuses GC, causes crash)
Diffstat
-rw-r--r--NEWS1
-rw-r--r--Zend/tests/bug78379.phpt32
-rw-r--r--Zend/zend_object_handlers.c5
3 files changed, 38 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index a4e4793e85..f245fa8b16 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP NEWS
- Core:
. Fixed bug #78363 (Buffer overflow in zendparse). (Nikita)
+ . Fixed bug #78379 (Cast to object confuses GC, causes crash). (Dmitry)
- Curl:
. Fixed bug #77946 (Bad cURL resources returned by curl_multi_info_read()).
diff --git a/Zend/tests/bug78379.phpt b/Zend/tests/bug78379.phpt
new file mode 100644
index 0000000000..e48e9b7ca4
--- /dev/null
+++ b/Zend/tests/bug78379.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #78379 (Cast to object confuses GC, causes crash)
+--INI--
+opcache.enable=0
+--FILE--
+<?php
+class C {
+ public function __construct() {
+ $this->p = (object)["x" => [1]];
+ }
+}
+class E {
+}
+$e = new E;
+$e->f = new E;
+$e->f->e = $e;
+$e->a = new C;
+$e = null;
+gc_collect_cycles();
+var_dump(new C);
+?>
+--EXPECTF--
+object(C)#%d (1) {
+ ["p"]=>
+ object(stdClass)#%d (1) {
+ ["x"]=>
+ array(1) {
+ [0]=>
+ int(1)
+ }
+ }
+}
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 1d4ee75a64..d0555c0031 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -138,6 +138,11 @@ ZEND_API HashTable *zend_std_get_gc(zval *object, zval **table, int *n) /* {{{ *
if (zobj->properties) {
*table = NULL;
*n = 0;
+ if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1)
+ && EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) {
+ GC_REFCOUNT(zobj->properties)--;
+ zobj->properties = zend_array_dup(zobj->properties);
+ }
return zobj->properties;
} else {
*table = zobj->properties_table;
View Lorry Controller Status