On 02/27/2012 12:37 PM, Laruence wrote:
On Mon, Feb 27, 2012 at 4:31 PM, Laruence<larue...@php.net> wrote:
On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov<dmi...@zend.com> wrote:
Hi Laruence,
The attached patch looks wired. The patch on top of it (r323563) makes it
better. However, in my opinion it fixes a common problem just in a single
place. Each call to __toString() that makes "side effects" may cause the
similar problem. It would be great to make a "right" fix in
zend_std_cast_object_tostring() itself, but probably it would require API
Hi:
before this fix, I thought about the same idea of that.
but, you know, such change will need all exts who implmented
their own cast_object handler change there codes too.
for now, I exam the usage of std_cast_object_tostring, most of
them do the similar things like this fix to avoid this issues(like
ZEND_CAST handler).
so I think, maybe it's okey for a temporary fix :)
what I mean temporary is, apply this fix to 5.3 and 5.4
then do the "right" fix which you said to 5.4.1 :)
we won't be able to change API in 5.4.1, so it's for 5.5.
Thanks. Dmitry.
thanks
thanks
change (e.g. sending zval** instead of zval*). So it could be fixed properly
only in trunk.
Thanks. Dmitry.
On 02/25/2012 08:41 AM, Laruence wrote:
Dmitry:
you might want to review this fix.
let me explain why crash before this fix.
when doing parse_parameter, then convert the object to string by
calling the ce->cast_object,
and passed the same pointer(although there was a separation), to
the cast_object..
then if __toString method stash $this somewhere, after the
parameters clean up, the $this pointer will be impending..
then in the next loop, the return_value will happen used the same
adress,,
then balalala, cause the segfault..
sorry for my poor english, and hope I have made myself clearly,
if there is any question , plz write me.
thanks
On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Hui<larue...@php.net> wrote:
laruence Sat, 25 Feb 2012 04:36:08 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=323489
Log:
Fixed bug #61165 (Segfault - strip_tags())
Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags()
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/Zend/zend_API.c
U php/php-src/trunk/NEWS
U php/php-src/trunk/Zend/zend_API.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev
323488)
+++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev
323489)
@@ -3,6 +3,7 @@
?? ??? 2012, PHP 5.3.11
- Core:
+ . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
. Improved max_input_vars directive to check nested variables (Dmitry).
. Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne)
. Fixed bug #61072 (Memory leak when restoring an exception handler).
Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25
03:19:27 UTC (rev 323488)
+++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25
04:36:08 UTC (rev 323489)
@@ -254,10 +254,15 @@
static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */
{
if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
- SEPARATE_ZVAL_IF_NOT_REF(arg);
- if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg,
IS_STRING TSRMLS_CC) == SUCCESS) {
+ zval *obj;
+ ALLOC_ZVAL(obj);
+ MAKE_COPY_ZVAL(arg, obj);
+ if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj,
IS_STRING TSRMLS_CC) == SUCCESS) {
+ zval_ptr_dtor(arg);
+ *arg = obj;
return SUCCESS;
}
+ zval_ptr_dtor(&obj);
}
/* Standard PHP objects */
if (Z_OBJ_HT_PP(arg) ==&std_object_handlers ||
!Z_OBJ_HANDLER_PP(arg, cast_object)) {
Modified: php/php-src/trunk/NEWS
===================================================================
--- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488)
+++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489)
@@ -6,6 +6,7 @@
. World domination
- Core:
+ . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
. Fixed bug #61072 (Memory leak when restoring an exception handler).
(Nikic, Laruence)
. Fixed bug #61000 (Exceeding max nesting level doesn't delete
numerical
Modified: php/php-src/trunk/Zend/zend_API.c
===================================================================
--- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev
323488)
+++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev
323489)
@@ -262,12 +262,17 @@
static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int
type TSRMLS_DC) /* {{{ */
{
if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
- SEPARATE_ZVAL_IF_NOT_REF(arg);
- if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type
TSRMLS_CC) == SUCCESS) {
+ zval *obj;
+ ALLOC_ZVAL(obj);
+ MAKE_COPY_ZVAL(arg, obj);
+ if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type
TSRMLS_CC) == SUCCESS) {
+ zval_ptr_dtor(arg);
+ *arg = obj;
*pl = Z_STRLEN_PP(arg);
*p = Z_STRVAL_PP(arg);
return SUCCESS;
}
+ zval_ptr_dtor(&obj);
}
/* Standard PHP objects */
if (Z_OBJ_HT_PP(arg) ==&std_object_handlers ||
!Z_OBJ_HANDLER_PP(arg, cast_object)) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Laruence Xinchen Hui
http://www.laruence.com/
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
