summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDmitry Stogov <dmitry@zend.com>2018-03-06 00:56:16 +0300
committerDmitry Stogov <dmitry@zend.com>2018-03-06 00:56:16 +0300
commitb711a96acb36cd1bf6191552d9876194f9dc15a4 (patch)
treed82e7345d7af826ed6449e4ccd339c507f381407
parent033ce8f28c7f8381528bdf578a5b35afc01cf63e (diff)
downloadphp-git-b711a96acb36cd1bf6191552d9876194f9dc15a4.tar.gz
Don't keep HashTable.pDestructor in SHM and always set it into ZVAL_PTR_DTOR in zval_array_dup().
Keeping pointer to a function in SHM is not safe because of ASLR.
Diffstat
-rw-r--r--Zend/zend_hash.c2
-rw-r--r--ext/opcache/zend_persist.c4
2 files changed, 5 insertions, 1 deletions
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index 3b905fd30c..dc44383855 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1765,7 +1765,7 @@ ZEND_API HashTable* ZEND_FASTCALL zend_array_dup(HashTable *source)
GC_TYPE_INFO(target) = IS_ARRAY;
target->nTableSize = source->nTableSize;
- target->pDestructor = source->pDestructor;
+ target->pDestructor = ZVAL_PTR_DTOR;
if (source->nNumUsed == 0) {
target->u.flags = (source->u.flags & ~(HASH_FLAG_INITIALIZED|HASH_FLAG_PACKED|HASH_FLAG_PERSISTENT|ZEND_HASH_APPLY_COUNT_MASK)) | HASH_FLAG_APPLY_PROTECTION | HASH_FLAG_STATIC_KEYS;
diff --git a/ext/opcache/zend_persist.c b/ext/opcache/zend_persist.c
index b63b116510..3e55331313 100644
--- a/ext/opcache/zend_persist.c
+++ b/ext/opcache/zend_persist.c
@@ -86,6 +86,8 @@ static void zend_hash_persist(HashTable *ht, zend_persist_func_t pPersistElement
uint32_t idx, nIndex;
Bucket *p;
+ ht->pDestructor = NULL;
+
if (!(ht->u.flags & HASH_FLAG_INITIALIZED)) {
HT_SET_DATA_ADDR(ht, &uninitialized_bucket);
return;
@@ -170,6 +172,8 @@ static void zend_hash_persist_immutable(HashTable *ht)
uint32_t idx, nIndex;
Bucket *p;
+ ht->pDestructor = NULL;
+
if (!(ht->u.flags & HASH_FLAG_INITIALIZED)) {
HT_SET_DATA_ADDR(ht, &uninitialized_bucket);
return;
View Lorry Controller Status