diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2018-09-28 12:57:45 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2018-09-28 12:57:55 +0200 |
| commit | 1c35357b31a771029a882dc7d3de27de26af37be (patch) | |
| tree | 92d0f5b7141e78a4c3680b5e81915ea79b689477 | |
| parent | 5f29e3fb6e3049c2c020ee05e71460ee238ab040 (diff) | |
| parent | 45cdcb2d0be89fe7bc404dd150240ec83f5de401 (diff) | |
| download | php-git-1c35357b31a771029a882dc7d3de27de26af37be.tar.gz | |
Merge branch 'PHP-7.1' into PHP-7.2
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug76846.phpt | 27 | ||||
| -rw-r--r-- | Zend/zend_objects_API.c | 6 |
3 files changed, 33 insertions, 2 deletions
@@ -10,6 +10,8 @@ PHP NEWS (Dmitry) . Fixed bug #76901 (method_exists on SPL iterator passthrough method corrupts memory). (Nikita) + . Fixed bug #76846 (Segfault in shutdown function after memory limit error). + (Nikita) - CURL: . Fixed bug #76480 (Use curl_multi_wait() so that timeouts are respected). diff --git a/Zend/tests/bug76846.phpt b/Zend/tests/bug76846.phpt new file mode 100644 index 0000000000..c167a8bb78 --- /dev/null +++ b/Zend/tests/bug76846.phpt @@ -0,0 +1,27 @@ +--TEST-- +Bug #76846: Segfault in shutdown function after memory limit error +--INI-- +memory_limit=33M +--SKIPIF-- +<?php +$zend_mm_enabled = getenv("USE_ZEND_ALLOC"); +if ($zend_mm_enabled === "0") { + die("skip Zend MM disabled"); +} +?> +--FILE-- +<?php + +register_shutdown_function(function() { + new stdClass; +}); + +$ary = []; +while (true) { + $ary[] = new stdClass; +} + +?> +--EXPECTF-- +Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d +%A diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index d3d47af545..2cb496da40 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -141,8 +141,10 @@ ZEND_API void zend_objects_store_put(zend_object *object) EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]); } else { if (EG(objects_store).top == EG(objects_store).size) { - EG(objects_store).size <<= 1; - EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, EG(objects_store).size * sizeof(zend_object*)); + uint32_t new_size = 2 * EG(objects_store).size; + EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, new_size * sizeof(zend_object*)); + /* Assign size after realloc, in case it fails */ + EG(objects_store).size = new_size; } handle = EG(objects_store).top++; } |