Dmitry:
you might want to review this fix.
let me explain why crash before this fix.
when doing parse_parameter, then convert the object to string by
calling the ce->cast_object,
and passed the same pointer(although there was a separation), to
the cast_object..
then if __toString method stash $this somewhere, after the
parameters clean up, the $this pointer will be impending..
then in the next loop, the return_value will happen used the same adress,,
then balalala, cause the segfault..
sorry for my poor english, and hope I have made myself clearly,
if there is any question , plz write me.
thanks
On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Hui<
[email protected]> wrote:
laruence Sat, 25 Feb 2012 04:36:08 +0000
Revision:
http://svn.php.net/viewvc?view=revision&revision=323489
Log:
Fixed bug #61165 (Segfault - strip_tags())
Bug:
https://bugs.php.net/61165 (Assigned) Segfault - strip_tags()
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/Zend/zend_API.c
U php/php-src/trunk/NEWS
U php/php-src/trunk/Zend/zend_API.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488)
+++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489)
@@ -3,6 +3,7 @@
?? ??? 2012, PHP 5.3.11
- Core:
+ . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
. Improved max_input_vars directive to check nested variables (Dmitry).
. Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne)
. Fixed bug #61072 (Memory leak when restoring an exception handler).
Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488)
+++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489)
@@ -254,10 +254,15 @@
static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */
{
if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
- SEPARATE_ZVAL_IF_NOT_REF(arg);
- if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zval *obj;
+ ALLOC_ZVAL(obj);
+ MAKE_COPY_ZVAL(arg, obj);
+ if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zval_ptr_dtor(arg);
+ *arg = obj;
return SUCCESS;
}
+ zval_ptr_dtor(&obj);
}
/* Standard PHP objects */
if (Z_OBJ_HT_PP(arg) ==&std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) {
Modified: php/php-src/trunk/NEWS
===================================================================
--- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488)
+++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489)
@@ -6,6 +6,7 @@
. World domination
- Core:
+ . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
. Fixed bug #61072 (Memory leak when restoring an exception handler).
(Nikic, Laruence)
. Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical
Modified: php/php-src/trunk/Zend/zend_API.c
===================================================================
--- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488)
+++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489)
@@ -262,12 +262,17 @@
static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */
{
if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
- SEPARATE_ZVAL_IF_NOT_REF(arg);
- if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) {
+ zval *obj;
+ ALLOC_ZVAL(obj);
+ MAKE_COPY_ZVAL(arg, obj);
+ if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) {
+ zval_ptr_dtor(arg);
+ *arg = obj;
*pl = Z_STRLEN_PP(arg);
*p = Z_STRVAL_PP(arg);
return SUCCESS;
}
+ zval_ptr_dtor(&obj);
}
/* Standard PHP objects */
if (Z_OBJ_HT_PP(arg) ==&std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php