Re: svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c

From:	Dmitry Stogov	Date:	Mon, 27 Feb 2012 09:20:45 +0000
Subject:	Re: svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
References:	1 2 3 4 5	Groups:	php.cvs php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 02/27/2012 12:37 PM, Laruence wrote:
On Mon, Feb 27, 2012 at 4:31 PM, Laruence<[email protected]>  wrote:
On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov<[email protected]>  wrote:
Hi Laruence,

The attached patch looks wired. The patch on top of it (r323563) makes it
better. However, in my opinion it fixes a common problem just in a single
place. Each call to __toString() that makes "side effects" may cause the
similar problem. It would be great to make a "right" fix in
zend_std_cast_object_tostring() itself, but probably it would require API
Hi:
   before this fix, I thought about the same idea of that.

   but,  you know,  such change will need all exts who implmented
their own cast_object handler change there codes too.

   for now,  I exam the usage of std_cast_object_tostring,  most of
them do the similar things like this fix to avoid this issues(like
ZEND_CAST handler).

   so I think,  maybe it's okey for a temporary fix :)
what I mean temporary is, apply this fix to 5.3 and 5.4

then do the "right" fix which you said to 5.4.1 :)

we won't be able to change API in 5.4.1, so it's for 5.5.

Thanks. Dmitry.

thanks

thanks
change (e.g. sending zval** instead of zval*). So it could be fixed properly
only in trunk.

Thanks. Dmitry.


On 02/25/2012 08:41 AM, Laruence wrote:

Dmitry:
    you might want to review this fix.

    let me explain why crash before this fix.

    when doing parse_parameter,  then convert the object to string by
calling the ce->cast_object,

    and passed the same pointer(although there was a separation), to
the cast_object..

    then if __toString method stash $this somewhere, after the
parameters clean up,  the $this pointer will be impending..

    then in the next loop, the return_value will happen used the same
adress,,

    then balalala, cause the segfault..

    sorry for my poor english,  and hope I have made myself clearly,
if there is any question , plz write me.

thanks

On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Hui<[email protected]>    wrote:

laruence                                 Sat, 25 Feb 2012 04:36:08 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=323489

Log:
Fixed bug #61165 (Segfault - strip_tags())

Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags()

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/Zend/zend_API.c
    U   php/php-src/trunk/NEWS
    U   php/php-src/trunk/Zend/zend_API.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2012-02-25 03:19:27 UTC (rev
323488)
+++ php/php-src/branches/PHP_5_3/NEWS   2012-02-25 04:36:08 UTC (rev
323489)
@@ -3,6 +3,7 @@
  ?? ??? 2012, PHP 5.3.11

  - Core:
+  . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
   . Improved max_input_vars directive to check nested variables (Dmitry).
   . Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne)
   . Fixed bug #61072 (Memory leak when restoring an exception handler).

Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_API.c        2012-02-25
03:19:27 UTC (rev 323488)
+++ php/php-src/branches/PHP_5_3/Zend/zend_API.c        2012-02-25
04:36:08 UTC (rev 323489)
@@ -254,10 +254,15 @@
  static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */
  {
        if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
-               SEPARATE_ZVAL_IF_NOT_REF(arg);
-               if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg,
IS_STRING TSRMLS_CC) == SUCCESS) {
+               zval *obj;
+               ALLOC_ZVAL(obj);
+               MAKE_COPY_ZVAL(arg, obj);
+               if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj,
IS_STRING TSRMLS_CC) == SUCCESS) {
+                       zval_ptr_dtor(arg);
+                       *arg = obj;
                        return SUCCESS;
                }
+               zval_ptr_dtor(&obj);
        }
        /* Standard PHP objects */
        if (Z_OBJ_HT_PP(arg) ==&std_object_handlers ||
!Z_OBJ_HANDLER_PP(arg, cast_object)) {


Modified: php/php-src/trunk/NEWS
===================================================================
--- php/php-src/trunk/NEWS      2012-02-25 03:19:27 UTC (rev 323488)
+++ php/php-src/trunk/NEWS      2012-02-25 04:36:08 UTC (rev 323489)
@@ -6,6 +6,7 @@
   . World domination

  - Core:
+  . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
   . Fixed bug #61072 (Memory leak when restoring an exception handler).
     (Nikic, Laruence)
   . Fixed bug #61000 (Exceeding max nesting level doesn't delete
numerical

Modified: php/php-src/trunk/Zend/zend_API.c
===================================================================
--- php/php-src/trunk/Zend/zend_API.c   2012-02-25 03:19:27 UTC (rev
323488)
+++ php/php-src/trunk/Zend/zend_API.c   2012-02-25 04:36:08 UTC (rev
323489)
@@ -262,12 +262,17 @@
  static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int
type TSRMLS_DC) /* {{{ */
  {
        if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
-               SEPARATE_ZVAL_IF_NOT_REF(arg);
-               if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type
TSRMLS_CC) == SUCCESS) {
+               zval *obj;
+               ALLOC_ZVAL(obj);
+               MAKE_COPY_ZVAL(arg, obj);
+               if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type
TSRMLS_CC) == SUCCESS) {
+                       zval_ptr_dtor(arg);
+                       *arg = obj;
                        *pl = Z_STRLEN_PP(arg);
                        *p = Z_STRVAL_PP(arg);
                        return SUCCESS;
                }
+               zval_ptr_dtor(&obj);
        }
        /* Standard PHP objects */
        if (Z_OBJ_HT_PP(arg) ==&std_object_handlers ||
!Z_OBJ_HANDLER_PP(arg, cast_object)) {



--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php








--
Laruence  Xinchen Hui
http://www.laruence.com/






   

Thread (14 messages)

• Xinchen HuiSat, 25 Feb 2012 04:36:08 +0000
  • LaruenceSat, 25 Feb 2012 04:41:51 +0000Re: svn: /php/php-src/ branches/PHP_5_3/NEWSbranches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
    • Dmitry StogovMon, 27 Feb 2012 08:00:58 +0000Re: svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.ctrunk/NEWS trunk/Zend/zend_API.c
      • LaruenceMon, 27 Feb 2012 08:31:01 +0000Re: svn: /php/php-src/ branches/PHP_5_3/NEWSbranches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
        • LaruenceMon, 27 Feb 2012 08:37:17 +0000
          • Dmitry StogovMon, 27 Feb 2012 09:20:45 +0000Re: svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.ctrunk/NEWS trunk/Zend/zend_API.c
          • Derick RethansMon, 27 Feb 2012 10:17:33 +0000
            • Pierre JoyeMon, 27 Feb 2012 10:39:07 +0000
        • Richard LynchMon, 27 Feb 2012 15:22:03 +0000Re: Re: svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
          • Anthony FerraraMon, 27 Feb 2012 16:10:00 +0000Re: Re: svn: /php/php-src/ branches/PHP_5_3/NEWSbranches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
            • Xinchen HuiMon, 27 Feb 2012 16:39:54 +0000
              • Anthony FerraraMon, 27 Feb 2012 17:10:26 +0000
                • Xinchen HuiTue, 28 Feb 2012 02:38:02 +0000
                  • Xinchen HuiTue, 28 Feb 2012 02:42:33 +0000