- Fixed bug #43136 (possible crash on script execution timeout.
The EG(function_state_ptr) is completely removed,
EG(current_execute_data)->function_state must be used instead). (Dmitry)
+- Fixed bug #43128 (Very long class name causes segfault). (Dmitry)
- Fixed bug #42848 (Status: header incorrect under FastCGI). (Dmitry)
- Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry)
- Fixed bug #42737 (preg_split('//u') triggers a E_NOTICE with newlines). (Nuno)
#endif
#if (HAVE_ALLOCA || (defined (__GNUC__) && __GNUC__ >= 2))
-# define tsrm_do_alloca(p) alloca(p)
-# define tsrm_free_alloca(p)
+# define TSRM_ALLOCA_MAX_SIZE 4096
+# define TSRM_ALLOCA_FLAG(name) \
+ int name;
+# define tsrm_do_alloca_ex(size, limit, use_heap) \
+ ((use_heap = ((size) > (limit))) ? malloc(size) : alloca(size))
+# define tsrm_do_alloca(size, use_heap) \
+ tsrm_do_alloca_ex(size, TSRM_ALLOCA_MAX_SIZE, use_heap)
+# define tsrm_free_alloca(p, use_heap) \
+ do { if (use_heap) free(p); } while (0)
#else
+# define TSRM_ALLOCA_FLAG(name)
# define tsrm_do_alloca(p) malloc(p)
# define tsrm_free_alloca(p) free(p)
#endif
int length = strlen(path);
char *temp;
int retval;
+ TSRM_ALLOCA_FLAG(use_heap)
if (length == 0) {
return 1; /* Can't cd to empty string */
if (length == COPY_WHEN_ABSOLUTE(path) && IS_ABSOLUTE_PATH(path, length+1)) { /* Also use trailing slash if this is absolute */
length++;
}
- temp = (char *) tsrm_do_alloca(length+1);
+ temp = (char *) tsrm_do_alloca(length+1, use_heap);
memcpy(temp, path, length);
temp[length] = 0;
#if VIRTUAL_CWD_DEBUG
fprintf (stderr, "Changing directory to %s\n", temp);
#endif
retval = p_chdir(temp TSRMLS_CC);
- tsrm_free_alloca(temp);
+ tsrm_free_alloca(temp, use_heap);
return retval;
}
/* }}} */
--- /dev/null
+--TEST--
+Bug #43128 Very long class name causes segfault
+--FILE--
+<?php
+
+$a = str_repeat("a", 10 * 1024 * 1024);
+
+# call_user_func($a); // Warning
+# $a->$a(); // Fatal error
+
+if ($a instanceof $a); // Segmentation fault
+new $a; // Segmentation fault
+echo "ok\n";
+--EXPECT--
+ok
#endif
#if (HAVE_ALLOCA || (defined (__GNUC__) && __GNUC__ >= 2)) && !(defined(ZTS) && defined(ZEND_WIN32)) && !(defined(ZTS) && defined(NETWARE)) && !(defined(ZTS) && defined(HPUX)) && !defined(DARWIN)
-# define do_alloca(p) alloca(p)
-# define free_alloca(p)
+# define ZEND_ALLOCA_MAX_SIZE (32 * 1024)
+# define ALLOCA_FLAG(name) \
+ zend_bool name;
+# define do_alloca_ex(size, limit, use_heap) \
+ ((use_heap = (UNEXPECTED((size) > (limit)))) ? emalloc(size) : alloca(size))
+# define do_alloca(size, use_heap) \
+ do_alloca_ex(size, ZEND_ALLOCA_MAX_SIZE, use_heap)
+# define free_alloca(p, use_heap) \
+ do { if (UNEXPECTED(use_heap)) efree(p); } while (0)
#else
+# define ALLOCA_FLAG(name)
# define do_alloca(p) emalloc(p)
# define free_alloca(p) efree(p)
#endif
}
}
fname_len = strlen(ptr->fname);
- lowercase_name = do_alloca(fname_len+1);
- zend_str_tolower_copy(lowercase_name, ptr->fname, fname_len);
+ lowercase_name = zend_str_tolower_dup(ptr->fname, fname_len);
if (zend_hash_add(target_function_table, lowercase_name, fname_len+1, &function, sizeof(zend_function), (void**)®_function) == FAILURE) {
unload=1;
- free_alloca(lowercase_name);
+ efree(lowercase_name);
break;
}
if (scope) {
}
ptr++;
count++;
- free_alloca(lowercase_name);
+ efree(lowercase_name);
}
if (unload) { /* before unloading, display all remaining bad function in the module */
if (scope) {
char *class_name, *lc_name;
zend_class_entry **ce;
int class_name_len;
- zend_bool autoload = 1;
int found;
+ zend_bool autoload = 1;
+ ALLOCA_FLAG(use_heap)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &class_name, &class_name_len, &autoload) == FAILURE) {
return;
}
if (!autoload) {
- lc_name = do_alloca(class_name_len + 1);
+ lc_name = do_alloca(class_name_len + 1, use_heap);
zend_str_tolower_copy(lc_name, class_name, class_name_len);
found = zend_hash_find(EG(class_table), lc_name, class_name_len+1, (void **) &ce);
- free_alloca(lc_name);
+ free_alloca(lc_name, use_heap);
RETURN_BOOL(found == SUCCESS && !((*ce)->ce_flags & ZEND_ACC_INTERFACE));
}
char *iface_name, *lc_name;
zend_class_entry **ce;
int iface_name_len;
- zend_bool autoload = 1;
int found;
+ zend_bool autoload = 1;
+ ALLOCA_FLAG(use_heap)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &iface_name, &iface_name_len, &autoload) == FAILURE) {
return;
}
if (!autoload) {
- lc_name = do_alloca(iface_name_len + 1);
+ lc_name = do_alloca(iface_name_len + 1, use_heap);
zend_str_tolower_copy(lc_name, iface_name, iface_name_len);
found = zend_hash_find(EG(class_table), lc_name, iface_name_len+1, (void **) &ce);
- free_alloca(lc_name);
+ free_alloca(lc_name, use_heap);
RETURN_BOOL(found == SUCCESS && (*ce)->ce_flags & ZEND_ACC_INTERFACE);
}
zend_uint fn_flags;
char *lcname;
zend_bool orig_interactive;
+ ALLOCA_FLAG(use_heap)
if (is_method) {
if (CG(active_class_entry)->ce_flags & ZEND_ACC_INTERFACE) {
}
if (!(CG(active_class_entry)->ce_flags & ZEND_ACC_INTERFACE)) {
- short_class_name = do_alloca(short_class_name_length + 1);
+ short_class_name = do_alloca(short_class_name_length + 1, use_heap);
zend_str_tolower_copy(short_class_name, CG(active_class_entry)->name, short_class_name_length);
/* Improve after RC: cache the lowercase class name */
} else if (!(fn_flags & ZEND_ACC_STATIC)) {
CG(active_op_array)->fn_flags |= ZEND_ACC_ALLOW_STATIC;
}
- free_alloca(short_class_name);
+ free_alloca(short_class_name, use_heap);
}
efree(lcname);
union _temp_variable *Ts;
zval ***CVs;
zend_bool original_in_execution;
+ ALLOCA_FLAG(use_heap)
HashTable *symbol_table;
struct _zend_execute_data *prev_execute_data;
zval *old_error_reporting;
}
#define ZEND_VM_EXIT_FROM_EXECUTE_LOOP() \
- free_alloca(EX(CVs)); \
- if (EX(op_array)->T < TEMP_VAR_STACK_LIMIT) { \
- free_alloca(EX(Ts)); \
- } else { \
- efree(EX(Ts)); \
- } \
+ free_alloca(EX(CVs), EX(use_heap)); \
EG(in_execution) = EX(original_in_execution); \
EG(current_execute_data) = EX(prev_execute_data); \
EG(opline_ptr) = NULL;
char *lc_name;
char *lc_free;
zval *exception;
- char dummy = 1;
zend_fcall_info fcall_info;
zend_fcall_info_cache fcall_cache;
+ char dummy = 1;
+ ALLOCA_FLAG(use_heap)
if (name == NULL || !name_length) {
return FAILURE;
}
- lc_free = lc_name = do_alloca(name_length + 1);
+ lc_free = lc_name = do_alloca(name_length + 1, use_heap);
zend_str_tolower_copy(lc_name, name, name_length);
if (lc_name[0] == ':' && lc_name[1] == ':') {
}
if (zend_hash_find(EG(class_table), lc_name, name_length + 1, (void **) ce) == SUCCESS) {
- free_alloca(lc_free);
+ free_alloca(lc_free, use_heap);
return SUCCESS;
}
* (doesn't impact fuctionality of __autoload()
*/
if (!use_autoload || zend_is_compiling(TSRMLS_C)) {
- free_alloca(lc_free);
+ free_alloca(lc_free, use_heap);
return FAILURE;
}
}
if (zend_hash_add(EG(in_autoload), lc_name, name_length + 1, (void**)&dummy, sizeof(char), NULL) == FAILURE) {
- free_alloca(lc_free);
+ free_alloca(lc_free, use_heap);
return FAILURE;
}
if (retval == FAILURE) {
EG(exception) = exception;
- free_alloca(lc_free);
+ free_alloca(lc_free, use_heap);
return FAILURE;
}
if (EG(exception) && exception) {
- free_alloca(lc_free);
+ free_alloca(lc_free, use_heap);
zend_error(E_ERROR, "Function %s(%s) threw an exception of type '%s'", ZEND_AUTOLOAD_FUNC_NAME, name, Z_OBJCE_P(EG(exception))->name);
return FAILURE;
}
}
retval = zend_hash_find(EG(class_table), lc_name, name_length + 1, (void **) ce);
- free_alloca(lc_free);
+ free_alloca(lc_free, use_heap);
return retval;
}
/* }}} */
zend_function *fbc;
char *lc_method_name;
zval *object = *object_ptr;
+ ALLOCA_FLAG(use_heap)
- lc_method_name = do_alloca(method_len+1);
+ lc_method_name = do_alloca(method_len+1, use_heap);
/* Create a zend_copy_str_tolower(dest, src, src_length); */
zend_str_tolower_copy(lc_method_name, method_name, method_len);
zobj = Z_OBJ_P(object);
if (zend_hash_find(&zobj->ce->function_table, lc_method_name, method_len+1, (void **)&fbc) == FAILURE) {
- free_alloca(lc_method_name);
+ free_alloca(lc_method_name, use_heap);
if (zobj->ce->__call) {
zend_internal_function *call_user_call = emalloc(sizeof(zend_internal_function));
call_user_call->type = ZEND_INTERNAL_FUNCTION;
}
}
- free_alloca(lc_method_name);
+ free_alloca(lc_method_name, use_heap);
return fbc;
}
/* }}} */
EX(called_scope) = NULL;
EX(object) = NULL;
EX(old_error_reporting) = NULL;
- if (op_array->T < TEMP_VAR_STACK_LIMIT) {
- EX(Ts) = (temp_variable *) do_alloca(sizeof(temp_variable) * op_array->T);
+ if (EXPECTED(op_array->T < TEMP_VAR_STACK_LIMIT && op_array->last_var < TEMP_VAR_STACK_LIMIT)) {
+ EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var + sizeof(temp_variable) * op_array->T, EX(use_heap));
} else {
- EX(Ts) = (temp_variable *) safe_emalloc(sizeof(temp_variable), op_array->T, 0);
+ EX(use_heap) = 1;
+ EX(CVs) = (zval***)safe_emalloc(sizeof(temp_variable), op_array->T, sizeof(zval**) * op_array->last_var);
}
- EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var);
+ EX(Ts) = (temp_variable *)(EX(CVs) + op_array->last_var);
memset(EX(CVs), 0, sizeof(zval**) * op_array->last_var);
EX(op_array) = op_array;
EX(original_in_execution) = EG(in_execution);
EX(called_scope) = NULL;
EX(object) = NULL;
EX(old_error_reporting) = NULL;
- if (op_array->T < TEMP_VAR_STACK_LIMIT) {
- EX(Ts) = (temp_variable *) do_alloca(sizeof(temp_variable) * op_array->T);
+ if (EXPECTED(op_array->T < TEMP_VAR_STACK_LIMIT && op_array->last_var < TEMP_VAR_STACK_LIMIT)) {
+ EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var + sizeof(temp_variable) * op_array->T, EX(use_heap));
} else {
- EX(Ts) = (temp_variable *) safe_emalloc(sizeof(temp_variable), op_array->T, 0);
+ EX(use_heap) = 1;
+ EX(CVs) = (zval***)safe_emalloc(sizeof(temp_variable), op_array->T, sizeof(zval**) * op_array->last_var);
}
- EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var);
+ EX(Ts) = (temp_variable *)(EX(CVs) + op_array->last_var);
memset(EX(CVs), 0, sizeof(zval**) * op_array->last_var);
EX(op_array) = op_array;
EX(original_in_execution) = EG(in_execution);
zval *query, ***args = NULL;
ibase_query *ib_query;
ibase_result *result = NULL;
+ ALLOCA_FLAG(use_heap)
RESET_ERRMSG;
}
} else if (bind_n > 0) { /* have variables to bind */
- args = (zval ***) do_alloca(ZEND_NUM_ARGS() * sizeof(zval **));
+ args = (zval ***) do_alloca(ZEND_NUM_ARGS() * sizeof(zval **), use_heap);
if (FAILURE == zend_get_parameters_array_ex(ZEND_NUM_ARGS(), args)) {
break;
} while (0);
if (args) {
- free_alloca(args);
+ free_alloca(args, use_heap);
}
}
/* }}} */
int name_len = strlen(name_str);
char *lcname;
struct _zend_module_entry *module;
+ ALLOCA_FLAG(use_heap)
- lcname = do_alloca(name_len + 1);
+ lcname = do_alloca(name_len + 1, use_heap);
zend_str_tolower_copy(lcname, name_str, name_len);
if (zend_hash_find(&module_registry, lcname, name_len + 1, (void **)&module) == FAILURE) {
- free_alloca(lcname);
+ free_alloca(lcname, use_heap);
return;
}
- free_alloca(lcname);
+ free_alloca(lcname, use_heap);
reflection_instantiate(reflection_extension_ptr, object TSRMLS_CC);
intern = (reflection_object *) zend_object_store_get_object(object TSRMLS_CC);
zend_module_entry *module;
char *name_str;
int name_len;
+ ALLOCA_FLAG(use_heap)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &name_str, &name_len) == FAILURE) {
return;
if (intern == NULL) {
return;
}
- lcname = do_alloca(name_len + 1);
+ lcname = do_alloca(name_len + 1, use_heap);
zend_str_tolower_copy(lcname, name_str, name_len);
if (zend_hash_find(&module_registry, lcname, name_len + 1, (void **)&module) == FAILURE) {
- free_alloca(lcname);
+ free_alloca(lcname, use_heap);
zend_throw_exception_ex(reflection_exception_ptr, 0 TSRMLS_CC,
"Extension %s does not exist", name_str);
return;
}
- free_alloca(lcname);
+ free_alloca(lcname, use_heap);
MAKE_STD_ZVAL(name);
ZVAL_STRING(name, module->name, 1);
zend_hash_update(Z_OBJPROP_P(object), "name", sizeof("name"), (void **) &name, sizeof(zval *), NULL);
if (!autoload) {
char *lc_name;
+ ALLOCA_FLAG(use_heap)
- lc_name = do_alloca(len + 1);
+ lc_name = do_alloca(len + 1, use_heap);
zend_str_tolower_copy(lc_name, name, len);
found = zend_hash_find(EG(class_table), lc_name, len +1, (void **) &ce);
- free_alloca(lc_name);
+ free_alloca(lc_name, use_heap);
} else {
found = zend_lookup_class(name, len, &ce TSRMLS_CC);
}
int old_cwd_fd = -1;
#else
char *old_cwd;
+ ALLOCA_FLAG(use_heap)
#endif
int retval = 0;
}
#ifndef HAVE_BROKEN_GETCWD
# define OLD_CWD_SIZE 4096
- old_cwd = do_alloca(OLD_CWD_SIZE);
+ old_cwd = do_alloca(OLD_CWD_SIZE, use_heap);
old_cwd[0] = '\0';
#endif
if (old_cwd[0] != '\0') {
VCWD_CHDIR(old_cwd);
}
- free_alloca(old_cwd);
+ free_alloca(old_cwd, use_heap);
#endif
return retval;
}
PHPAPI int php_execute_simple_script(zend_file_handle *primary_file, zval **ret TSRMLS_DC)
{
char *old_cwd;
+ ALLOCA_FLAG(use_heap)
EG(exit_status) = 0;
#define OLD_CWD_SIZE 4096
- old_cwd = do_alloca(OLD_CWD_SIZE);
+ old_cwd = do_alloca(OLD_CWD_SIZE, use_heap);
old_cwd[0] = '\0';
zend_try {
VCWD_CHDIR(old_cwd);
}
- free_alloca(old_cwd);
+ free_alloca(old_cwd, use_heap);
return EG(exit_status);
}
/* }}} */
projects / php / commitdiff