diff options
author | Dmitry Stogov <dmitry@zend.com> | 2019-08-08 10:00:39 +0300 |
---|---|---|
committer | Dmitry Stogov <dmitry@zend.com> | 2019-08-08 10:00:39 +0300 |
commit | 358379be22c4e20f4942737e0e90422977355c63 (patch) | |
tree | 7d8c424b49f944ddf8aefcc2583bee8269df86dd | |
parent | 954543cec629c3c5d42c2d62228dd68604bb6b19 (diff) | |
download | php-git-358379be22c4e20f4942737e0e90422977355c63.tar.gz |
Fixed bug #78379 (Cast to object confuses GC, causes crash)
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | Zend/tests/bug78379.phpt | 32 | ||||
-rw-r--r-- | Zend/zend_object_handlers.c | 5 |
3 files changed, 38 insertions, 0 deletions
@@ -4,6 +4,7 @@ PHP NEWS - Core: . Fixed bug #78363 (Buffer overflow in zendparse). (Nikita) + . Fixed bug #78379 (Cast to object confuses GC, causes crash). (Dmitry) - Curl: . Fixed bug #77946 (Bad cURL resources returned by curl_multi_info_read()). diff --git a/Zend/tests/bug78379.phpt b/Zend/tests/bug78379.phpt new file mode 100644 index 0000000000..e48e9b7ca4 --- /dev/null +++ b/Zend/tests/bug78379.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #78379 (Cast to object confuses GC, causes crash) +--INI-- +opcache.enable=0 +--FILE-- +<?php +class C { + public function __construct() { + $this->p = (object)["x" => [1]]; + } +} +class E { +} +$e = new E; +$e->f = new E; +$e->f->e = $e; +$e->a = new C; +$e = null; +gc_collect_cycles(); +var_dump(new C); +?> +--EXPECTF-- +object(C)#%d (1) { + ["p"]=> + object(stdClass)#%d (1) { + ["x"]=> + array(1) { + [0]=> + int(1) + } + } +} diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 1d4ee75a64..d0555c0031 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -138,6 +138,11 @@ ZEND_API HashTable *zend_std_get_gc(zval *object, zval **table, int *n) /* {{{ * if (zobj->properties) { *table = NULL; *n = 0; + if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1) + && EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) { + GC_REFCOUNT(zobj->properties)--; + zobj->properties = zend_array_dup(zobj->properties); + } return zobj->properties; } else { *table = zobj->properties_table; |