diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2014-07-07 19:21:23 +0400 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2014-07-07 19:21:23 +0400 |
| commit | bce6a36c8a13d718cc308e4e48724c799863459a (patch) | |
| tree | 26f2a9eab1d102dc5c9d9bb7ec54280d6ae17c01 /ext/spl | |
| parent | 477bd49ccab2a10c421a51f512d593251ef7adef (diff) | |
| parent | f0499b86a8b83204eab14e25eb7cb15536f9e69f (diff) | |
| download | php-git-bce6a36c8a13d718cc308e4e48724c799863459a.tar.gz | |
Merge branch 'master' into test
* master: (48 commits)
change locale - looks like not everybody has sl_SI
Fix bug #66921 - Wrong argument type hint for function intltz_from_date_time_zone
fix format
Fix bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting)
Make sure the generator script also creates a newline at the end of file
Add newline at end of file to prevent compilation warning
Fix handling of session user module custom handlers.
Reference bug report instead of github issue in NEWS file
add more exts for Travis
Update NEWS
Fix phpdbg.1 man page installation when build != src directory
BFN for bug #67551 (php://input temp file will be located in sys_temp_dir instead of upload_tmp_dir)
reorder
restore API compatibility
finish
refactor php_stream_temp_create{,_ex} and use it for the php://input stream
refactor _php_stream_fopen_{temporary_,tmp}file()
fix length overflow of HTTP_RAW_POST_DATA
Update NEWS
Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen)
...
Conflicts:
ext/opcache/zend_accelerator_util_funcs.c
ext/session/mod_user.c
ext/spl/spl_array.c
ext/spl/spl_dllist.c
ext/standard/file.c
ext/standard/streamsfuncs.c
ext/standard/string.c
main/streams/memory.c
Diffstat (limited to 'ext/spl')
| -rw-r--r-- | ext/spl/spl_array.c | 7 | ||||
| -rw-r--r-- | ext/spl/spl_dllist.c | 6 | ||||
| -rw-r--r-- | ext/spl/tests/bug67538.phpt | 17 | ||||
| -rw-r--r-- | ext/spl/tests/bug67539.phpt | 15 |
4 files changed, 43 insertions, 2 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 24556b532c..385c029794 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1774,6 +1774,7 @@ SPL_METHOD(Array, unserialize) const unsigned char *p, *s; php_unserialize_data_t var_hash; zval members, zflags; + HashTable *aht; long flags; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { @@ -1784,6 +1785,12 @@ SPL_METHOD(Array, unserialize) return; } + aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); + if (aht->u.v.nApplyCount > 0) { + zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); + return; + } + /* storage */ s = p = (const unsigned char*)buf; PHP_VAR_UNSERIALIZE_INIT(var_hash); diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c index 929fdd8798..09d874645d 100644 --- a/ext/spl/spl_dllist.c +++ b/ext/spl/spl_dllist.c @@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack; #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \ efree(elem); \ - elem = NULL; \ } #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \ efree(elem); \ - elem = NULL; \ } #define SPL_LLIST_ADDREF(elem) (elem)->rc++ @@ -897,6 +895,10 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset) llist->dtor(element TSRMLS_CC); } + if (intern->traverse_pointer == element) { + SPL_LLIST_DELREF(element); + intern->traverse_pointer = NULL; + } zval_ptr_dtor(&element->data); ZVAL_UNDEF(&element->data); diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt new file mode 100644 index 0000000000..b6f3848c36 --- /dev/null +++ b/ext/spl/tests/bug67538.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #67538 (SPL Iterators use-after-free) +--FILE-- +<?php +$list = new SplDoublyLinkedList(); +$list->push('a'); +$list->push('b'); + +$list->rewind(); +$list->offsetUnset(0); +$list->push('b'); +$list->offsetUnset(0); +$list->next(); +echo "okey"; +?> +--EXPECTF-- +okey diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt new file mode 100644 index 0000000000..8bab2a8c21 --- /dev/null +++ b/ext/spl/tests/bug67539.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #67539 (ArrayIterator use-after-free due to object change during sorting) +--FILE-- +<?php + +$it = new ArrayIterator(array_fill(0,2,'X'), 1 ); + +function badsort($a, $b) { + $GLOBALS['it']->unserialize($GLOBALS['it']->serialize()); + return TRUE; +} + +$it->uksort('badsort'); +--EXPECTF-- +Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d |