Bug #52001 [Asn->Csd]: Memory allocation problems after using variable variables

dmitry Thu, 10 Jun 2010 02:16:49 -0700

Edit report at http://bugs.php.net/bug.php?id=52001&edit=1


 ID:               52001
 Updated by:       dmi...@php.net
 Reported by:      lisio at bk dot ru
 Summary:          Memory allocation problems after using variable
                   variables
-Status:           Assigned
+Status:           Closed
 Type:             Bug
 Package:          Scripting Engine problem
 Operating System: Linux
 PHP Version:      5.3.2
 Assigned To:      dmitry

 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------
[2010-06-10 11:13:24] dmi...@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300345
Log: Fixed bug #52001 (Memory allocation problems after using variable
variables)

------------------------------------------------------------------------
[2010-06-08 11:22:57] boldin dot pavel at gmail dot com

old patch brokes tests (Zend/tests/objects_020.phpt), new one don't.
Still don't sure if it is absolutely correct.

------------------------------------------------------------------------
[2010-06-06 19:15:45] boldin dot pavel at gmail dot com

Zend/zend_compile.c 1066:

                if (opline && type == BP_VAR_W && arg_offset) {

                        opline->extended_value = ZEND_FETCH_MAKE_REF;

                }



Is not this bug too? ZEND_FETCH_MAKE_REF is not set for first
(arg_offset == 0) arg?

------------------------------------------------------------------------
[2010-06-06 19:06:29] boldin dot pavel at gmail dot com

I have attached patch. It must be reviewed by professional PHP
developer.



For me it is clearly that call of SEPARATE_ZVAL_TO_MAKE_IS_REF must be
predicated with such a check (and it is done in all other cases).

------------------------------------------------------------------------
[2010-06-06 18:38:05] boldin dot pavel at gmail dot com

Finally: bug is at 

                if (opline->extended_value & ZEND_FETCH_MAKE_REF) {

                        SEPARATE_ZVAL_TO_MAKE_IS_REF(retval);

                }



SEPARATE_ZVAL_TO_MAKE_IS_REF seems to ruine *retval (which is
executor_globals.uninitialized_ptr). Then this leads to incorrectly
working zend_send_by_var_helper and incorrect referencing count in
zend_assign_to_variable.



Trying to patch now.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=52001


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52001&edit=1

Bug #52001 [Asn->Csd]: Memory allocation problems after using variable variables

Reply via email to