Merge branch 'PHP-7.1' into PHP-7.2

* PHP-7.1:
  Don't keep HashTable.pDestructor in SHM and always set it into ZVAL_PTR_DTOR in zval_array_dup(). Keeping pointer to a function in SHM is not safe because of ASLR.

2 files changed, 5 insertions, 1 deletions

diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index 0a7de61c9b..f1b0c9b86c 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1764,7 +1764,7 @@ ZEND_API HashTable* ZEND_FASTCALL zend_array_dup(HashTable *source)
 	GC_TYPE_INFO(target) = IS_ARRAY | (GC_COLLECTABLE << GC_FLAGS_SHIFT);
 
 	target->nTableSize = source->nTableSize;
-	target->pDestructor = source->pDestructor;
+	target->pDestructor = ZVAL_PTR_DTOR;
 
 	if (source->nNumUsed == 0) {
 		target->u.flags = (source->u.flags & ~(HASH_FLAG_INITIALIZED|HASH_FLAG_PACKED|HASH_FLAG_PERSISTENT|ZEND_HASH_APPLY_COUNT_MASK)) | HASH_FLAG_APPLY_PROTECTION | HASH_FLAG_STATIC_KEYS;
diff --git a/ext/opcache/zend_persist.c b/ext/opcache/zend_persist.c
index ef474b133a..79e9944ff5 100644
--- a/ext/opcache/zend_persist.c
+++ b/ext/opcache/zend_persist.c
@@ -86,6 +86,8 @@ static void zend_hash_persist(HashTable *ht, zend_persist_func_t pPersistElement
 	uint32_t idx, nIndex;
 	Bucket *p;
 
+	ht->pDestructor = NULL;
+
 	if (!(ht->u.flags & HASH_FLAG_INITIALIZED)) {
 		HT_SET_DATA_ADDR(ht, &uninitialized_bucket);
 		return;
@@ -170,6 +172,8 @@ static void zend_hash_persist_immutable(HashTable *ht)
 	uint32_t idx, nIndex;
 	Bucket *p;
 
+	ht->pDestructor = NULL;
+
 	if (!(ht->u.flags & HASH_FLAG_INITIALIZED)) {
 		HT_SET_DATA_ADDR(ht, &uninitialized_bucket);
 		return;