On Mon, Feb 27, 2012 at 4:31 PM, Laruence <larue...@php.net> wrote: > On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov <dmi...@zend.com> wrote: >> Hi Laruence, >> >> The attached patch looks wired. The patch on top of it (r323563) makes it >> better. However, in my opinion it fixes a common problem just in a single >> place. Each call to __toString() that makes "side effects" may cause the >> similar problem. It would be great to make a "right" fix in >> zend_std_cast_object_tostring() itself, but probably it would require API > Hi: > before this fix, I thought about the same idea of that. > > but, you know, such change will need all exts who implmented > their own cast_object handler change there codes too. > > for now, I exam the usage of std_cast_object_tostring, most of > them do the similar things like this fix to avoid this issues(like > ZEND_CAST handler). > > so I think, maybe it's okey for a temporary fix :) what I mean temporary is, apply this fix to 5.3 and 5.4
then do the "right" fix which you said to 5.4.1 :) thanks > > thanks >> change (e.g. sending zval** instead of zval*). So it could be fixed properly >> only in trunk. >> >> Thanks. Dmitry. >> >> >> On 02/25/2012 08:41 AM, Laruence wrote: >>> >>> Dmitry: >>> you might want to review this fix. >>> >>> let me explain why crash before this fix. >>> >>> when doing parse_parameter, then convert the object to string by >>> calling the ce->cast_object, >>> >>> and passed the same pointer(although there was a separation), to >>> the cast_object.. >>> >>> then if __toString method stash $this somewhere, after the >>> parameters clean up, the $this pointer will be impending.. >>> >>> then in the next loop, the return_value will happen used the same >>> adress,, >>> >>> then balalala, cause the segfault.. >>> >>> sorry for my poor english, and hope I have made myself clearly, >>> if there is any question , plz write me. >>> >>> thanks >>> >>> On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Hui<larue...@php.net> wrote: >>>> >>>> laruence Sat, 25 Feb 2012 04:36:08 +0000 >>>> >>>> Revision: http://svn.php.net/viewvc?view=revision&revision=323489 >>>> >>>> Log: >>>> Fixed bug #61165 (Segfault - strip_tags()) >>>> >>>> Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() >>>> >>>> Changed paths: >>>> U php/php-src/branches/PHP_5_3/NEWS >>>> U php/php-src/branches/PHP_5_3/Zend/zend_API.c >>>> U php/php-src/trunk/NEWS >>>> U php/php-src/trunk/Zend/zend_API.c >>>> >>>> Modified: php/php-src/branches/PHP_5_3/NEWS >>>> =================================================================== >>>> --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev >>>> 323488) >>>> +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev >>>> 323489) >>>> @@ -3,6 +3,7 @@ >>>> ?? ??? 2012, PHP 5.3.11 >>>> >>>> - Core: >>>> + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) >>>> . Improved max_input_vars directive to check nested variables (Dmitry). >>>> . Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne) >>>> . Fixed bug #61072 (Memory leak when restoring an exception handler). >>>> >>>> Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c >>>> =================================================================== >>>> --- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 >>>> 03:19:27 UTC (rev 323488) >>>> +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 >>>> 04:36:08 UTC (rev 323489) >>>> @@ -254,10 +254,15 @@ >>>> static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ >>>> { >>>> if (Z_OBJ_HANDLER_PP(arg, cast_object)) { >>>> - SEPARATE_ZVAL_IF_NOT_REF(arg); >>>> - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, >>>> IS_STRING TSRMLS_CC) == SUCCESS) { >>>> + zval *obj; >>>> + ALLOC_ZVAL(obj); >>>> + MAKE_COPY_ZVAL(arg, obj); >>>> + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, >>>> IS_STRING TSRMLS_CC) == SUCCESS) { >>>> + zval_ptr_dtor(arg); >>>> + *arg = obj; >>>> return SUCCESS; >>>> } >>>> + zval_ptr_dtor(&obj); >>>> } >>>> /* Standard PHP objects */ >>>> if (Z_OBJ_HT_PP(arg) ==&std_object_handlers || >>>> !Z_OBJ_HANDLER_PP(arg, cast_object)) { >>>> >>>> >>>> Modified: php/php-src/trunk/NEWS >>>> =================================================================== >>>> --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) >>>> +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) >>>> @@ -6,6 +6,7 @@ >>>> . World domination >>>> >>>> - Core: >>>> + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) >>>> . Fixed bug #61072 (Memory leak when restoring an exception handler). >>>> (Nikic, Laruence) >>>> . Fixed bug #61000 (Exceeding max nesting level doesn't delete >>>> numerical >>>> >>>> Modified: php/php-src/trunk/Zend/zend_API.c >>>> =================================================================== >>>> --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev >>>> 323488) >>>> +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev >>>> 323489) >>>> @@ -262,12 +262,17 @@ >>>> static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int >>>> type TSRMLS_DC) /* {{{ */ >>>> { >>>> if (Z_OBJ_HANDLER_PP(arg, cast_object)) { >>>> - SEPARATE_ZVAL_IF_NOT_REF(arg); >>>> - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type >>>> TSRMLS_CC) == SUCCESS) { >>>> + zval *obj; >>>> + ALLOC_ZVAL(obj); >>>> + MAKE_COPY_ZVAL(arg, obj); >>>> + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type >>>> TSRMLS_CC) == SUCCESS) { >>>> + zval_ptr_dtor(arg); >>>> + *arg = obj; >>>> *pl = Z_STRLEN_PP(arg); >>>> *p = Z_STRVAL_PP(arg); >>>> return SUCCESS; >>>> } >>>> + zval_ptr_dtor(&obj); >>>> } >>>> /* Standard PHP objects */ >>>> if (Z_OBJ_HT_PP(arg) ==&std_object_handlers || >>>> !Z_OBJ_HANDLER_PP(arg, cast_object)) { >>>> >>>> >>>> >>>> -- >>>> PHP CVS Mailing List (http://www.php.net/) >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >>> >>> >> > > > > -- > Laruence Xinchen Hui > http://www.laruence.com/ -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
