Merge branch 'PHP-5.5' of https://git.php.net/repository/php-src into PHP-5.5

cjbj · cjbj · commit c8b0da6ef741 · 2013-08-30T05:40:30.000-07:00
* 'PHP-5.5' of https://git.php.net/repository/php-src: Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer Update NEWS Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
diff --git a/NEWS b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.5.4
 
 - Core:
+  . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
+    (Laruence)
   . Improved fputcsv() to allow specifying escape character.
   . Fixed bug #65490 (Duplicate calls to get lineno & filename for 
     DTRACE_FUNCTION_*). (Chris Jones)
@@ -23,6 +25,8 @@ PHP                                                                        NEWS
 - Datetime:
   . Fixed bug #65554 (createFromFormat broken when weekday name is followed
     by some delimiters). (Valentin Logvinskiy, Stas).
+  . Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught
+    by AddressSanitizer). (Remi).
 
 - OPCache:
   . Fixed bug #65561 (Zend Opcache on Solaris 11 x86 needs ZEND_MM_ALIGNMENT=4).
diff --git a/Zend/tests/bug60598.phpt b/Zend/tests/bug60598.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #60598 (cli/apache sapi segfault on objects manipulation)
+--FILE--
+<?php
+define('OBJECT_COUNT', 10000);
+
+$containers = array();
+
+class Object {
+    protected $_guid = 0;
+    public function __construct() {
+		global $containers;
+		$this->guid = 1;
+        $containers[spl_object_hash($this)] = $this;
+    }
+    public function __destruct() {
+		global $containers;
+        $containers[spl_object_hash($this)] = NULL;
+    }
+}
+
+for ($i = 0; $i < OBJECT_COUNT; ++$i) {
+    new Object();
+}
+
+// You probably won't see this because of the "zend_mm_heap corrupted"
+?>
+If you see this, try to increase OBJECT_COUNT to 100,000
+--EXPECT--
+If you see this, try to increase OBJECT_COUNT to 100,000
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
@@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS
 					obj->dtor(obj->object, i TSRMLS_CC);
 					obj = &objects->object_buckets[i].bucket.obj;
 					obj->refcount--;
+
+					if (obj->refcount == 0) {
+						/* in case gc_collect_cycle is triggered before free_storage */
+						GC_REMOVE_ZOBJ_FROM_BUFFER(obj);
+					}
 				}
 			}
 		}
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -2198,13 +2198,13 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC)
 	/* first we add the date and time in ISO format */
 	MAKE_STD_ZVAL(zv);
 	ZVAL_STRING(zv, date_format("Y-m-d H:i:s", 12, dateobj->time, 1), 0);
-	zend_hash_update(props, "date", 5, &zv, sizeof(zval), NULL);
+	zend_hash_update(props, "date", 5, &zv, sizeof(zv), NULL);
 
 	/* then we add the timezone name (or similar) */
 	if (dateobj->time->is_localtime) {
 		MAKE_STD_ZVAL(zv);
 		ZVAL_LONG(zv, dateobj->time->zone_type);
-		zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zval), NULL);
+		zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zv), NULL);
 
 		MAKE_STD_ZVAL(zv);
 		switch (dateobj->time->zone_type) {
@@ -2227,7 +2227,7 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC)
 				ZVAL_STRING(zv, dateobj->time->tz_abbr, 1);
 				break;
 		}
-		zend_hash_update(props, "timezone", 9, &zv, sizeof(zval), NULL);
+		zend_hash_update(props, "timezone", 9, &zv, sizeof(zv), NULL);
 	}
 
 	return props;
@@ -2305,7 +2305,7 @@ static HashTable *date_object_get_properties_timezone(zval *object TSRMLS_DC)
 
 	MAKE_STD_ZVAL(zv);
 	ZVAL_LONG(zv, tzobj->type);
-	zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zval), NULL);
+	zend_hash_update(props, "timezone_type", 14, &zv, sizeof(zv), NULL);
 
 	MAKE_STD_ZVAL(zv);
 	switch (tzobj->type) {
@@ -2327,7 +2327,7 @@ static HashTable *date_object_get_properties_timezone(zval *object TSRMLS_DC)
 			ZVAL_STRING(zv, tzobj->tzi.z.abbr, 1);
 			break;
 	}
-	zend_hash_update(props, "timezone", 9, &zv, sizeof(zval), NULL);
+	zend_hash_update(props, "timezone", 9, &zv, sizeof(zv), NULL);
 
 	return props;
 }
@@ -2394,7 +2394,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC)
 #define PHP_DATE_INTERVAL_ADD_PROPERTY(n,f) \
 	MAKE_STD_ZVAL(zv); \
 	ZVAL_LONG(zv, (long)intervalobj->diff->f); \
-	zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zval), NULL);
+	zend_hash_update(props, n, strlen(n) + 1, &zv, sizeof(zv), NULL);
 
 	PHP_DATE_INTERVAL_ADD_PROPERTY("y", y);
 	PHP_DATE_INTERVAL_ADD_PROPERTY("m", m);
@@ -2411,7 +2411,7 @@ static HashTable *date_object_get_properties_interval(zval *object TSRMLS_DC)
 	} else {
 		MAKE_STD_ZVAL(zv);
 		ZVAL_FALSE(zv);
-		zend_hash_update(props, "days", 5, &zv, sizeof(zval), NULL);
+		zend_hash_update(props, "days", 5, &zv, sizeof(zv), NULL);
 	}
 	PHP_DATE_INTERVAL_ADD_PROPERTY("special_type", special.type);
 	PHP_DATE_INTERVAL_ADD_PROPERTY("special_amount", special.amount);

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS`
`57`	`57`	`obj->dtor(obj->object, i TSRMLS_CC);`
`58`	`58`	`obj = &objects->object_buckets[i].bucket.obj;`
`59`	`59`	`obj->refcount--;`
	`60`	`+`
	`61`	`+ if (obj->refcount == 0) {`
	`62`	`+ /* in case gc_collect_cycle is triggered before free_storage */`
	`63`	`+ GC_REMOVE_ZOBJ_FROM_BUFFER(obj);`
	`64`	`+ }`
`60`	`65`	`}`
`61`	`66`	`}`
`62`	`67`	`}`