diff options
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | Zend/tests/bug60598.phpt | 30 | ||||
-rw-r--r-- | Zend/zend_objects_API.c | 5 | ||||
-rw-r--r-- | ext/date/php_date.c | 10 |
4 files changed, 44 insertions, 5 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2013, PHP 5.4.20 - Core: + . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation). + (Laruence) . Fixed bug #65579 (Using traits with get_class_methods causes segfault). (Adam) . Fixed bug #65490 (Duplicate calls to get lineno & filename for @@ -34,6 +36,8 @@ PHP NEWS - Datetime: . Fixed bug #65554 (createFromFormat broken when weekday name is followed by some delimiters). (Valentin Logvinskiy, Stas). + . Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught + by AddressSanitizer). (Remi). - Openssl: . Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in diff --git a/Zend/tests/bug60598.phpt b/Zend/tests/bug60598.phpt new file mode 100644 index 0000000000..eeee75a19d --- /dev/null +++ b/Zend/tests/bug60598.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #60598 (cli/apache sapi segfault on objects manipulation) +--FILE-- +<?php +define('OBJECT_COUNT', 10000); + +$containers = array(); + +class Object { + protected $_guid = 0; + public function __construct() { + global $containers; + $this->guid = 1; + $containers[spl_object_hash($this)] = $this; + } + public function __destruct() { + global $containers; + $containers[spl_object_hash($this)] = NULL; + } +} + +for ($i = 0; $i < OBJECT_COUNT; ++$i) { + new Object(); +} + +// You probably won't see this because of the "zend_mm_heap corrupted" +?> +If you see this, try to increase OBJECT_COUNT to 100,000 +--EXPECT-- +If you see this, try to increase OBJECT_COUNT to 100,000 diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 1fe5d0c199..b5dd48f798 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS obj->dtor(obj->object, i TSRMLS_CC); obj = &objects->object_buckets[i].bucket.obj; obj->refcount--; + + if (obj->refcount == 0) { + /* in case gc_collect_cycle is triggered before free_storage */ + GC_REMOVE_ZOBJ_FROM_BUFFER(obj); + } } } } diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 1c97781763..70960b161f 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2113,13 +2113,13 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC) /* first we add the date and time in ISO format */ MAKE_STD_ZVAL(zv); ZVAL_STRING(zv, date_format("Y-m-d H:i:s", 12, dateobj->time, 1), 0); - zend_hash_update(props, "date", 5, &zv, sizeof(zval), NULL); + zend_hash_update(props, "date", 5, &zv, sizeof(zv), NULL); /* then we add the timezone name (or similar) */ if (dateobj->time->is_localtime) { MAKE_STD_ZVAL(zv); ZVAL_LONG(zv, dateobj->time->zone_type); - zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zval), NULL); + zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zv), NULL); MAKE_STD_ZVAL(zv); switch (dateobj->time->zone_type) { @@ -2142,7 +2142,7 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC) ZVAL_STRING(zv, dateobj->time->tz_abbr, 1); break; } - zend_hash_update(props, "timezone", 9, &zv, sizeof(zval), NULL); + zend_hash_update(props, "timezone", 9, &zv, sizeof(zv), NULL); } return props; @@ -2265,7 +2265,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC) #define PHP_DATE_INTERVAL_ADD_PROPERTY(n,f) \ MAKE_STD_ZVAL(zv); \ ZVAL_LONG(zv, (long)intervalobj->diff->f); \ - zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zval), NULL); + zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zv), NULL); PHP_DATE_INTERVAL_ADD_PROPERTY("y", y); PHP_DATE_INTERVAL_ADD_PROPERTY("m", m); @@ -2282,7 +2282,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC) } else { MAKE_STD_ZVAL(zv); ZVAL_FALSE(zv); - zend_hash_update(props, "days", 5, &zv, sizeof(zval), NULL); + zend_hash_update(props, "days", 5, &zv, sizeof(zv), NULL); } PHP_DATE_INTERVAL_ADD_PROPERTY("special_type", special.type); PHP_DATE_INTERVAL_ADD_PROPERTY("special_amount", special.amount); |