dmitry Mon, 11 Jul 2011 10:31:49 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=313129
Log:
Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
Bug: https://bugs.php.net/54305 (error getting bug information)
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
A php/php-src/branches/PHP_5_3/Zend/tests/bug54305.phpt
U php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
U php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
A php/php-src/branches/PHP_5_4/Zend/tests/bug54305.phpt
U php/php-src/branches/PHP_5_4/Zend/zend_vm_def.h
U php/php-src/branches/PHP_5_4/Zend/zend_vm_execute.h
A php/php-src/trunk/Zend/tests/bug54305.phpt
U php/php-src/trunk/Zend/zend_vm_def.h
U php/php-src/trunk/Zend/zend_vm_execute.h
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2011-07-11 10:29:44 UTC (rev 313128)
+++ php/php-src/branches/PHP_5_3/NEWS 2011-07-11 10:31:49 UTC (rev 313129)
@@ -7,6 +7,7 @@
- Core
. Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption). (Dmitry)
+ . Fixed bug #54305 (Crash in gc_remove_zval_from_buffer). (Dmitry)
. Fixed bug #53727 (Inconsistent behavior of is_subclass_of with interfaces)
(Ralph Schindler, Dmitry)
. Fixed buffer overflow on overlog salt in crypt(). (Clément LECIGNE, Stas)
Added: php/php-src/branches/PHP_5_3/Zend/tests/bug54305.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/tests/bug54305.phpt (rev 0)
+++ php/php-src/branches/PHP_5_3/Zend/tests/bug54305.phpt 2011-07-11 10:31:49 UTC (rev 313129)
@@ -0,0 +1,22 @@
+--TEST--
+Bug #54305 (Crash in gc_remove_zval_from_buffer)
+--FILE--
+<?php
+class TestClass {
+ public function methodWithArgs($a, $b) {
+ }
+}
+abstract class AbstractClass {
+}
+$methodWithArgs = new ReflectionMethod('TestClass', 'methodWithArgs');
+echo $methodWithArgs++;
+?>
+--EXPECTF--
+Method [ <user> public method methodWithArgs ] {
+ @@ %sbug54305.php %d - %d
+
+ - Parameters [2] {
+ Parameter #0 [ <required> $a ]
+ Parameter #1 [ <required> $b ]
+ }
+}
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2011-07-11 10:29:44 UTC (rev 313128)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2011-07-11 10:31:49 UTC (rev 313129)
@@ -900,10 +900,16 @@
zval *z = GET_OP1_ZVAL_PTR(BP_VAR_R);
if (OP1_TYPE != IS_CONST &&
- Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (OP1_TYPE == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2011-07-11 10:29:44 UTC (rev 313128)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2011-07-11 10:31:49 UTC (rev 313129)
@@ -1324,10 +1324,16 @@
zval *z = &opline->op1.u.constant;
if (IS_CONST != IS_CONST &&
- Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_CONST == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -4614,10 +4620,16 @@
zval *z = _get_zval_ptr_tmp(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
if (IS_TMP_VAR != IS_CONST &&
- Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_TMP_VAR == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -7870,10 +7882,16 @@
zval *z = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
if (IS_VAR != IS_CONST &&
- Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_VAR == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -21767,10 +21785,16 @@
zval *z = _get_zval_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC);
if (IS_CV != IS_CONST &&
- Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_TYPE_P(z) == IS_OBJECT && Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_CV == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
Added: php/php-src/branches/PHP_5_4/Zend/tests/bug54305.phpt
===================================================================
--- php/php-src/branches/PHP_5_4/Zend/tests/bug54305.phpt (rev 0)
+++ php/php-src/branches/PHP_5_4/Zend/tests/bug54305.phpt 2011-07-11 10:31:49 UTC (rev 313129)
@@ -0,0 +1,22 @@
+--TEST--
+Bug #54305 (Crash in gc_remove_zval_from_buffer)
+--FILE--
+<?php
+class TestClass {
+ public function methodWithArgs($a, $b) {
+ }
+}
+abstract class AbstractClass {
+}
+$methodWithArgs = new ReflectionMethod('TestClass', 'methodWithArgs');
+echo $methodWithArgs++;
+?>
+--EXPECTF--
+Method [ <user> public method methodWithArgs ] {
+ @@ %sbug54305.php %d - %d
+
+ - Parameters [2] {
+ Parameter #0 [ <required> $a ]
+ Parameter #1 [ <required> $b ]
+ }
+}
Modified: php/php-src/branches/PHP_5_4/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_4/Zend/zend_vm_def.h 2011-07-11 10:29:44 UTC (rev 313128)
+++ php/php-src/branches/PHP_5_4/Zend/zend_vm_def.h 2011-07-11 10:31:49 UTC (rev 313129)
@@ -982,10 +982,16 @@
if (OP1_TYPE != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (OP1_TYPE == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
Modified: php/php-src/branches/PHP_5_4/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_4/Zend/zend_vm_execute.h 2011-07-11 10:29:44 UTC (rev 313128)
+++ php/php-src/branches/PHP_5_4/Zend/zend_vm_execute.h 2011-07-11 10:31:49 UTC (rev 313129)
@@ -2012,10 +2012,16 @@
if (IS_CONST != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_CONST == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -6278,10 +6284,16 @@
if (IS_TMP_VAR != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_TMP_VAR == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -10455,10 +10467,16 @@
if (IS_VAR != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_VAR == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -26192,10 +26210,16 @@
if (IS_CV != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_CV == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
Added: php/php-src/trunk/Zend/tests/bug54305.phpt
===================================================================
--- php/php-src/trunk/Zend/tests/bug54305.phpt (rev 0)
+++ php/php-src/trunk/Zend/tests/bug54305.phpt 2011-07-11 10:31:49 UTC (rev 313129)
@@ -0,0 +1,22 @@
+--TEST--
+Bug #54305 (Crash in gc_remove_zval_from_buffer)
+--FILE--
+<?php
+class TestClass {
+ public function methodWithArgs($a, $b) {
+ }
+}
+abstract class AbstractClass {
+}
+$methodWithArgs = new ReflectionMethod('TestClass', 'methodWithArgs');
+echo $methodWithArgs++;
+?>
+--EXPECTF--
+Method [ <user> public method methodWithArgs ] {
+ @@ %sbug54305.php %d - %d
+
+ - Parameters [2] {
+ Parameter #0 [ <required> $a ]
+ Parameter #1 [ <required> $b ]
+ }
+}
Modified: php/php-src/trunk/Zend/zend_vm_def.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_def.h 2011-07-11 10:29:44 UTC (rev 313128)
+++ php/php-src/trunk/Zend/zend_vm_def.h 2011-07-11 10:31:49 UTC (rev 313129)
@@ -982,10 +982,16 @@
if (OP1_TYPE != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (OP1_TYPE == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
Modified: php/php-src/trunk/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_execute.h 2011-07-11 10:29:44 UTC (rev 313128)
+++ php/php-src/trunk/Zend/zend_vm_execute.h 2011-07-11 10:31:49 UTC (rev 313129)
@@ -2012,10 +2012,16 @@
if (IS_CONST != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_CONST == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -6278,10 +6284,16 @@
if (IS_TMP_VAR != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_TMP_VAR == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -10455,10 +10467,16 @@
if (IS_VAR != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_VAR == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
@@ -26192,10 +26210,16 @@
if (IS_CV != IS_CONST &&
UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
- Z_OBJ_HT_P(z)->get_method != NULL &&
- zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
- zend_print_variable(&z_copy);
- zval_dtor(&z_copy);
+ Z_OBJ_HT_P(z)->get_method != NULL) {
+ if (IS_CV == IS_TMP_VAR) {
+ INIT_PZVAL(z);
+ }
+ if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+ zend_print_variable(&z_copy);
+ zval_dtor(&z_copy);
+ } else {
+ zend_print_variable(z);
+ }
} else {
zend_print_variable(z);
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
