From 7da6498342d76c34892bfa247bc1779d8f5ee1e6 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Fri, 30 Aug 2013 11:20:24 +0800
Subject: Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)

---
 NEWS                     |  2 ++
 Zend/tests/bug60598.phpt | 30 ++++++++++++++++++++++++++++++
 Zend/zend_objects_API.c  |  5 +++++
 3 files changed, 37 insertions(+)
 create mode 100644 Zend/tests/bug60598.phpt

diff --git a/NEWS b/NEWS
index 6169cd0902..42b69f535d 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.4.20
 
 - Core:
+  . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
+    (Laruence)
   . Fixed bug #65579 (Using traits with get_class_methods causes segfault).
     (Adam)
   . Fixed bug #65490 (Duplicate calls to get lineno & filename for 
diff --git a/Zend/tests/bug60598.phpt b/Zend/tests/bug60598.phpt
new file mode 100644
index 0000000000..eeee75a19d
--- /dev/null
+++ b/Zend/tests/bug60598.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #60598 (cli/apache sapi segfault on objects manipulation)
+--FILE--
+<?php
+define('OBJECT_COUNT', 10000);
+
+$containers = array();
+
+class Object {
+    protected $_guid = 0;
+    public function __construct() {
+		global $containers;
+		$this->guid = 1;
+        $containers[spl_object_hash($this)] = $this;
+    }
+    public function __destruct() {
+		global $containers;
+        $containers[spl_object_hash($this)] = NULL;
+    }
+}
+
+for ($i = 0; $i < OBJECT_COUNT; ++$i) {
+    new Object();
+}
+
+// You probably won't see this because of the "zend_mm_heap corrupted"
+?>
+If you see this, try to increase OBJECT_COUNT to 100,000
+--EXPECT--
+If you see this, try to increase OBJECT_COUNT to 100,000
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index 1fe5d0c199..b5dd48f798 100644
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS
 					obj->dtor(obj->object, i TSRMLS_CC);
 					obj = &objects->object_buckets[i].bucket.obj;
 					obj->refcount--;
+
+					if (obj->refcount == 0) {
+						/* in case gc_collect_cycle is triggered before free_storage */
+						GC_REMOVE_ZOBJ_FROM_BUFFER(obj);
+					}
 				}
 			}
 		}
-- 
cgit v1.2.1


From d69513afecf3d82c6bfba35ef1634b3b7c377d87 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Fri, 30 Aug 2013 10:42:08 +0200
Subject: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught
 by AddressSanitizer

---
 NEWS                |  2 ++
 ext/date/php_date.c | 10 +++++-----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index 42b69f535d..76eb1faa0d 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,8 @@ PHP                                                                        NEWS
 - Datetime:
   . Fixed bug #65554 (createFromFormat broken when weekday name is followed 
     by some delimiters). (Valentin Logvinskiy, Stas).
+  . Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught
+    by AddressSanitizer). (Remi).
 
 - Openssl:
   . Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in 
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
index 1c97781763..70960b161f 100644
--- a/ext/date/php_date.c
+++ b/ext/date/php_date.c
@@ -2113,13 +2113,13 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC)
 	/* first we add the date and time in ISO format */
 	MAKE_STD_ZVAL(zv);
 	ZVAL_STRING(zv, date_format("Y-m-d H:i:s", 12, dateobj->time, 1), 0);
-	zend_hash_update(props, "date", 5, &zv, sizeof(zval), NULL);
+	zend_hash_update(props, "date", 5, &zv, sizeof(zv), NULL);
 
 	/* then we add the timezone name (or similar) */
 	if (dateobj->time->is_localtime) {
 		MAKE_STD_ZVAL(zv);
 		ZVAL_LONG(zv, dateobj->time->zone_type);
-		zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zval), NULL);
+		zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zv), NULL);
 
 		MAKE_STD_ZVAL(zv);
 		switch (dateobj->time->zone_type) {
@@ -2142,7 +2142,7 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC)
 				ZVAL_STRING(zv, dateobj->time->tz_abbr, 1);
 				break;
 		}
-		zend_hash_update(props, "timezone", 9, &zv, sizeof(zval), NULL);
+		zend_hash_update(props, "timezone", 9, &zv, sizeof(zv), NULL);
 	}
 
 	return props;
@@ -2265,7 +2265,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC)
 #define PHP_DATE_INTERVAL_ADD_PROPERTY(n,f) \
 	MAKE_STD_ZVAL(zv); \
 	ZVAL_LONG(zv, (long)intervalobj->diff->f); \
-	zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zval), NULL);
+	zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zv), NULL);
 
 	PHP_DATE_INTERVAL_ADD_PROPERTY("y", y);
 	PHP_DATE_INTERVAL_ADD_PROPERTY("m", m);
@@ -2282,7 +2282,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC)
 	} else {
 		MAKE_STD_ZVAL(zv);
 		ZVAL_FALSE(zv);
-		zend_hash_update(props, "days", 5, &zv, sizeof(zval), NULL);
+		zend_hash_update(props, "days", 5, &zv, sizeof(zv), NULL);
 	}
 	PHP_DATE_INTERVAL_ADD_PROPERTY("special_type", special.type);
 	PHP_DATE_INTERVAL_ADD_PROPERTY("special_amount", special.amount);
-- 
cgit v1.2.1