On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov <dmi...@zend.com> wrote: > Hi Laruence, > > The attached patch looks wired. The patch on top of it (r323563) makes it > better. However, in my opinion it fixes a common problem just in a single > place. Each call to __toString() that makes "side effects" may cause the > similar problem. It would be great to make a "right" fix in > zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that.
but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) thanks > change (e.g. sending zval** instead of zval*). So it could be fixed properly > only in trunk. > > Thanks. Dmitry. > > > On 02/25/2012 08:41 AM, Laruence wrote: >> >> Dmitry: >> you might want to review this fix. >> >> let me explain why crash before this fix. >> >> when doing parse_parameter, then convert the object to string by >> calling the ce->cast_object, >> >> and passed the same pointer(although there was a separation), to >> the cast_object.. >> >> then if __toString method stash $this somewhere, after the >> parameters clean up, the $this pointer will be impending.. >> >> then in the next loop, the return_value will happen used the same >> adress,, >> >> then balalala, cause the segfault.. >> >> sorry for my poor english, and hope I have made myself clearly, >> if there is any question , plz write me. >> >> thanks >> >> On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Hui<larue...@php.net> wrote: >>> >>> laruence Sat, 25 Feb 2012 04:36:08 +0000 >>> >>> Revision: http://svn.php.net/viewvc?view=revision&revision=323489 >>> >>> Log: >>> Fixed bug #61165 (Segfault - strip_tags()) >>> >>> Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() >>> >>> Changed paths: >>> U php/php-src/branches/PHP_5_3/NEWS >>> U php/php-src/branches/PHP_5_3/Zend/zend_API.c >>> U php/php-src/trunk/NEWS >>> U php/php-src/trunk/Zend/zend_API.c >>> >>> Modified: php/php-src/branches/PHP_5_3/NEWS >>> =================================================================== >>> --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev >>> 323488) >>> +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev >>> 323489) >>> @@ -3,6 +3,7 @@ >>> ?? ??? 2012, PHP 5.3.11 >>> >>> - Core: >>> + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) >>> . Improved max_input_vars directive to check nested variables (Dmitry). >>> . Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne) >>> . Fixed bug #61072 (Memory leak when restoring an exception handler). >>> >>> Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c >>> =================================================================== >>> --- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 >>> 03:19:27 UTC (rev 323488) >>> +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 >>> 04:36:08 UTC (rev 323489) >>> @@ -254,10 +254,15 @@ >>> static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ >>> { >>> if (Z_OBJ_HANDLER_PP(arg, cast_object)) { >>> - SEPARATE_ZVAL_IF_NOT_REF(arg); >>> - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, >>> IS_STRING TSRMLS_CC) == SUCCESS) { >>> + zval *obj; >>> + ALLOC_ZVAL(obj); >>> + MAKE_COPY_ZVAL(arg, obj); >>> + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, >>> IS_STRING TSRMLS_CC) == SUCCESS) { >>> + zval_ptr_dtor(arg); >>> + *arg = obj; >>> return SUCCESS; >>> } >>> + zval_ptr_dtor(&obj); >>> } >>> /* Standard PHP objects */ >>> if (Z_OBJ_HT_PP(arg) ==&std_object_handlers || >>> !Z_OBJ_HANDLER_PP(arg, cast_object)) { >>> >>> >>> Modified: php/php-src/trunk/NEWS >>> =================================================================== >>> --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) >>> +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) >>> @@ -6,6 +6,7 @@ >>> . World domination >>> >>> - Core: >>> + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) >>> . Fixed bug #61072 (Memory leak when restoring an exception handler). >>> (Nikic, Laruence) >>> . Fixed bug #61000 (Exceeding max nesting level doesn't delete >>> numerical >>> >>> Modified: php/php-src/trunk/Zend/zend_API.c >>> =================================================================== >>> --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev >>> 323488) >>> +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev >>> 323489) >>> @@ -262,12 +262,17 @@ >>> static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int >>> type TSRMLS_DC) /* {{{ */ >>> { >>> if (Z_OBJ_HANDLER_PP(arg, cast_object)) { >>> - SEPARATE_ZVAL_IF_NOT_REF(arg); >>> - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type >>> TSRMLS_CC) == SUCCESS) { >>> + zval *obj; >>> + ALLOC_ZVAL(obj); >>> + MAKE_COPY_ZVAL(arg, obj); >>> + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type >>> TSRMLS_CC) == SUCCESS) { >>> + zval_ptr_dtor(arg); >>> + *arg = obj; >>> *pl = Z_STRLEN_PP(arg); >>> *p = Z_STRVAL_PP(arg); >>> return SUCCESS; >>> } >>> + zval_ptr_dtor(&obj); >>> } >>> /* Standard PHP objects */ >>> if (Z_OBJ_HT_PP(arg) ==&std_object_handlers || >>> !Z_OBJ_HANDLER_PP(arg, cast_object)) { >>> >>> >>> >>> -- >>> PHP CVS Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >> >> >> >> > -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php