Re: [PHP-CVS] com php-src: Fixed bug #62477 LimitIterator int overflow: ext/spl/spl_iterators.c ext/spl/spl_iterators.h ext/spl/tests/bug62477_1.phpt ext/spl/tests/bug62477_2.phpt
Hi guys,
as it stands the ticket, the user has implemented an iterator which easily
accepts floats for seek and other iterator methods. Normal iterator can
only work with integers as all the storage for positions is long or int.
As result a statement like this
new LimitIterator(new ArrayIterator(array(42)), 1000);
will just convert that big float to some integer, so the original iterator
wouldn't work properly.
This is of course not the case with iterators implemented internally in
SPL as they only work with long (ulong for instance with the
ArrayIterator). But any user space iterators might break this. Just like
in the ticket the iterator itself works as expected and gives
100
101
102
Where passing it to the LimitIterator gives back
1410065408
1410065409
1410065410
Also please consider the fact that the documentation states both start and
offset params of the LimitIterator as int.
I'm on the way to revert this, but the issue stays. May be the patch
should be just extended to check if it's a numeric string and try to
convert it. The same for a float - check if it overflows the integer
range.
Or how would you solve this?
Regards
Anatoliy
Am Mi, 11.07.2012, 23:25 schrieb Nikita Popov:
Hi Anatoliy!
I'm not sure that this change is right. As it is now one could no
longer pass in 123 (as a string) or 123.0 (as a float) as
limit/offset. This goes against usual PHP semantics.
Also I'm not exactly sure what the problem was in the first place.
Nikita
On Wed, Jul 11, 2012 at 10:25 PM, Anatoliy Belsky a...@php.net wrote:
Commit:b383ddf1e5175abf1d000e887961fdcebae646a0
Author:Anatoliy Belsky a...@php.net Wed, 11 Jul 2012
22:25:31 +0200
Parents: bcf5853eaa8b8be793d4a1bd325eaea68cfe57bb
Branches: PHP-5.3 PHP-5.4 master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b383ddf1e5175abf1d000e887961fdcebae646a0
Log:
Fixed bug #62477 LimitIterator int overflow
Bugs:
https://bugs.php.net/62477
Changed paths:
M ext/spl/spl_iterators.c
M ext/spl/spl_iterators.h
A ext/spl/tests/bug62477_1.phpt
A ext/spl/tests/bug62477_2.phpt
Diff:
diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c
index eecd483..1cbb2e4 100755
--- a/ext/spl/spl_iterators.c
+++ b/ext/spl/spl_iterators.c
@@ -1380,12 +1380,31 @@ static spl_dual_it_object*
spl_dual_it_construct(INTERNAL_FUNCTION_PARAMETERS, z
intern-dit_type = dit_type;
switch (dit_type) {
case DIT_LimitIterator: {
+ zval *tmp_offset, *tmp_count;
intern-u.limit.offset = 0; /* start at
beginning */
intern-u.limit.count = -1; /* get all */
- if (zend_parse_parameters(ZEND_NUM_ARGS()
TSRMLS_CC, O|ll, zobject, ce_inner, intern-u.limit.offset,
intern-u.limit.count) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS()
TSRMLS_CC, O|zz, zobject, ce_inner, tmp_offset, tmp_count) ==
FAILURE) {
zend_restore_error_handling(error_handling
TSRMLS_CC);
return NULL;
}
+ if (tmp_offset Z_TYPE_P(tmp_offset) !=
IS_NULL) {
+ if (Z_TYPE_P(tmp_offset) != IS_LONG) {
+
zend_throw_exception(spl_ce_OutOfRangeException, offset param must be
of type int, 0 TSRMLS_CC);
+
zend_restore_error_handling(error_handling TSRMLS_CC);
+ return NULL;
+ } else {
+ intern-u.limit.offset =
Z_LVAL_P(tmp_offset);
+ }
+ }
+ if (tmp_count Z_TYPE_P(tmp_count) != IS_NULL)
{
+ if (Z_TYPE_P(tmp_count) != IS_LONG) {
+
zend_throw_exception(spl_ce_OutOfRangeException, count param must be of
type int, 0 TSRMLS_CC);
+
zend_restore_error_handling(error_handling TSRMLS_CC);
+ return NULL;
+ } else {
+ intern-u.limit.count =
Z_LVAL_P(tmp_count);
+ }
+ }
if (intern-u.limit.offset 0) {
zend_throw_exception(spl_ce_OutOfRangeException,
Parameter offset must be = 0, 0
TSRMLS_CC);
zend_restore_error_handling(error_handling
TSRMLS_CC);
diff --git a/ext/spl/spl_iterators.h b/ext/spl/spl_iterators.h
index 525a25c..9494b26 100755
--- a/ext/spl/spl_iterators.h
+++ b/ext/spl/spl_iterators.h
@@ -128,7 +128,7 @@ typedef struct _spl_dual_it_object {
uint str_key_len;
ulongint_key;
int key_type; /* HASH_KEY_IS_STRING or
HASH_KEY_IS_LONG */
[PHP-CVS] com php-src: reverted changes for #62477: NEWS ext/spl/spl_iterators.c ext/spl/spl_iterators.h ext/spl/tests/bug62477_1.phpt ext/spl/tests/bug62477_2.phpt
Commit:ad7eeba3c1a4c77f439afc936fbf50b811a46a6b
Author:Anatoliy Belsky a...@php.net Thu, 12 Jul 2012 10:54:14
+0200
Parents: 896d0fcd41df13fc852417de222aac2482d2704b
Branches: PHP-5.3 PHP-5.4 master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=ad7eeba3c1a4c77f439afc936fbf50b811a46a6b
Log:
reverted changes for #62477
Bugs:
https://bugs.php.net/62477
Changed paths:
M NEWS
M ext/spl/spl_iterators.c
M ext/spl/spl_iterators.h
D ext/spl/tests/bug62477_1.phpt
D ext/spl/tests/bug62477_2.phpt
Diff:
diff --git a/NEWS b/NEWS
index 2f60c43..902185c 100644
--- a/NEWS
+++ b/NEWS
@@ -204,7 +204,6 @@ PHP
NEWS
having had its dtor callback called in between). (Gustavo)
. Fixed bug #61347 (inconsistent isset behavior of Arrayobject). (Laruence)
. Fixed bug #61326 (ArrayObject comparison). (Gustavo)
- . Fixed bug #62477 LimitIterator int overflow. (Anatoliy)
- SQLite3 extension:
. Add createCollation() method. (Brad Dewar)
diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c
index 1cbb2e4..eecd483 100755
--- a/ext/spl/spl_iterators.c
+++ b/ext/spl/spl_iterators.c
@@ -1380,31 +1380,12 @@ static spl_dual_it_object*
spl_dual_it_construct(INTERNAL_FUNCTION_PARAMETERS, z
intern-dit_type = dit_type;
switch (dit_type) {
case DIT_LimitIterator: {
- zval *tmp_offset, *tmp_count;
intern-u.limit.offset = 0; /* start at beginning */
intern-u.limit.count = -1; /* get all */
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
O|zz, zobject, ce_inner, tmp_offset, tmp_count) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
O|ll, zobject, ce_inner, intern-u.limit.offset, intern-u.limit.count) ==
FAILURE) {
zend_restore_error_handling(error_handling
TSRMLS_CC);
return NULL;
}
- if (tmp_offset Z_TYPE_P(tmp_offset) != IS_NULL) {
- if (Z_TYPE_P(tmp_offset) != IS_LONG) {
-
zend_throw_exception(spl_ce_OutOfRangeException, offset param must be of type
int, 0 TSRMLS_CC);
-
zend_restore_error_handling(error_handling TSRMLS_CC);
- return NULL;
- } else {
- intern-u.limit.offset =
Z_LVAL_P(tmp_offset);
- }
- }
- if (tmp_count Z_TYPE_P(tmp_count) != IS_NULL) {
- if (Z_TYPE_P(tmp_count) != IS_LONG) {
-
zend_throw_exception(spl_ce_OutOfRangeException, count param must be of type
int, 0 TSRMLS_CC);
-
zend_restore_error_handling(error_handling TSRMLS_CC);
- return NULL;
- } else {
- intern-u.limit.count =
Z_LVAL_P(tmp_count);
- }
- }
if (intern-u.limit.offset 0) {
zend_throw_exception(spl_ce_OutOfRangeException, Parameter offset must be =
0, 0 TSRMLS_CC);
zend_restore_error_handling(error_handling
TSRMLS_CC);
diff --git a/ext/spl/spl_iterators.h b/ext/spl/spl_iterators.h
index 9494b26..525a25c 100755
--- a/ext/spl/spl_iterators.h
+++ b/ext/spl/spl_iterators.h
@@ -128,7 +128,7 @@ typedef struct _spl_dual_it_object {
uint str_key_len;
ulongint_key;
int key_type; /* HASH_KEY_IS_STRING or
HASH_KEY_IS_LONG */
- long pos;
+ int pos;
} current;
dual_it_type dit_type;
union {
diff --git a/ext/spl/tests/bug62477_1.phpt b/ext/spl/tests/bug62477_1.phpt
deleted file mode 100644
index 1b768a7..000
--- a/ext/spl/tests/bug62477_1.phpt
+++ /dev/null
@@ -1,12 +0,0 @@
---TEST--
-Bug #62477 LimitIterator int overflow when float is passed (1)
---FILE--
-?php
-
-$it = new LimitIterator(new ArrayIterator(array(42)), 1000);
---EXPECTF--
-Fatal error: Uncaught exception 'OutOfRangeException' with message 'offset
param must be of type int' in %sbug62477_1.php:%d
-Stack trace:
-#0 %sbug62477_1.php(%d): LimitIterator-__construct(Object(ArrayIterator), %f)
-#1 {main}
- thrown in %sbug62477_1.php on line %d
diff --git a/ext/spl/tests/bug62477_2.phpt b/ext/spl/tests/bug62477_2.phpt
deleted file mode 100644
index aa3468a..000
--- a/ext/spl/tests/bug62477_2.phpt
+++ /dev/null
@@ -1,12 +0,0 @@
[PHP-CVS] com php-src: reverted news about #62477: NEWS
Commit:ec7e479562506842766fcf2bc47f417e9da44813 Author:Anatoliy Belsky a...@php.net Thu, 12 Jul 2012 10:57:56 +0200 Parents: 86428169d3c8d7d9a3dfd4e27fb48cf1314102dc Branches: PHP-5.4 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=ec7e479562506842766fcf2bc47f417e9da44813 Log: reverted news about #62477 Bugs: https://bugs.php.net/62477 Changed paths: M NEWS Diff: diff --git a/NEWS b/NEWS index 3281663..3d91e50 100644 --- a/NEWS +++ b/NEWS @@ -92,7 +92,6 @@ PHP NEWS dot files). (Laruence) . Fixed bug #62262 (RecursiveArrayIterator does not implement Countable). (Nikita Popov) - . Fixed bug #62477 LimitIterator int overflow. (Anatoliy) - XML Writer: . Fixed bug #62064 (memory leak in the XML Writer module). -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'PHP-5.3' into PHP-5.4: ext/spl/spl_iterators.c ext/spl/spl_iterators.h
Commit:86428169d3c8d7d9a3dfd4e27fb48cf1314102dc Author:Anatoliy Belsky a...@php.net Thu, 12 Jul 2012 10:57:26 +0200 Parents: be8f089a13ef5e023ec27f14de8bc2453c75bb54 ad7eeba3c1a4c77f439afc936fbf50b811a46a6b Branches: PHP-5.4 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=86428169d3c8d7d9a3dfd4e27fb48cf1314102dc Log: Merge branch 'PHP-5.3' into PHP-5.4 * PHP-5.3: reverted changes for #62477 Bugs: https://bugs.php.net/62477 Changed paths: MM ext/spl/spl_iterators.c MM ext/spl/spl_iterators.h Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'PHP-5.4': ext/spl/spl_iterators.c
Commit:ed1f5b4dae81316ad53cee5c8cfa7e7f7746ad46 Author:Anatoliy Belsky a...@php.net Thu, 12 Jul 2012 11:02:33 +0200 Parents: 7bd3d0bf8c130bb6478312a303fa309a31dcb3d1 ec7e479562506842766fcf2bc47f417e9da44813 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=ed1f5b4dae81316ad53cee5c8cfa7e7f7746ad46 Log: Merge branch 'PHP-5.4' * PHP-5.4: reverted news about #62477 reverted changes for #62477 Conflicts: NEWS Bugs: https://bugs.php.net/62477 Changed paths: MM ext/spl/spl_iterators.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: fixed the test for warnings changed: ext/fileinfo/tests/finfo_open_error-win32.phpt
Commit:cf91b163e1c16cfc0f6e4cd2b3ec78d82bc3ba1c Author:Anatoliy Belsky a...@php.net Thu, 12 Jul 2012 18:24:38 +0200 Parents: ec7e479562506842766fcf2bc47f417e9da44813 Branches: PHP-5.4 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=cf91b163e1c16cfc0f6e4cd2b3ec78d82bc3ba1c Log: fixed the test for warnings changed Changed paths: M ext/fileinfo/tests/finfo_open_error-win32.phpt Diff: diff --git a/ext/fileinfo/tests/finfo_open_error-win32.phpt b/ext/fileinfo/tests/finfo_open_error-win32.phpt index e168b7f..0260ca5 100644 --- a/ext/fileinfo/tests/finfo_open_error-win32.phpt +++ b/ext/fileinfo/tests/finfo_open_error-win32.phpt @@ -43,13 +43,7 @@ bool(false) Warning: finfo_open() expects at most 2 parameters, 3 given in %sfinfo_open_error-win32.php on line %d bool(false) - -Warning: finfo_open(%smagic): failed to open stream: No such file or directory in %sfinfo_open_error-win32.php on line %d - -Warning: finfo_open(%smagic): failed to open stream: No such file or directory in %sfinfo_open_error-win32.php on line %d - -Warning: finfo_open(): Failed to load magic database at '%smagic'. in %sfinfo_open_error-win32.php on line %d -bool(false) +resource(6) of type (file_info) Warning: finfo_open() expects parameter 1 to be long, string given in %sfinfo_open_error-win32.php on line %d bool(false) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
