Fix #78173: XML-RPC mutates immutable objects during encoding

With opcache.protect_memory=1 enabled, the XML-RPC extension causes a
segfault on PHP 7.2 as it is modifying the recursion counter of objects
it touches, without first checking if they are immutable or not.

This doesn't affect 7.3+

diff --git a/NEWS b/NEWS
index d02a6ce98565c972dc488bc0227cb84e6aaa6345..92de1e479e1b865207b86126d8cd87f15d48582f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2019, PHP 7.2.21
 
+- XMLRPC:
+  . Fixed #78173 (XML-RPC mutates immutable objects during encoding). (Asher
+    Baker)
 
 27 Jun 2019, PHP 7.2.20
 

diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index 36fbff123c061ca102153d4908a00cb8afc52e98..69d9658a7778255e74dd34d9a3d57eae4b31687b 100644 (file)
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -556,7 +556,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
                                                XMLRPC_VECTOR_TYPE vtype;
 
                                                ht = HASH_OF(&val);
-                                               if (ht && ht->u.v.nApplyCount > 1) {
+                                               if (ht && ZEND_HASH_APPLY_PROTECTION(ht) && ht->u.v.nApplyCount > 1) {
                                                        zend_throw_error(NULL, "XML-RPC doesn't support circular references");
                                                        return NULL;
                                                }
@@ -570,7 +570,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
                                                ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL(val_arr), num_index, my_key, pIter) {
                                                        ZVAL_DEREF(pIter);
                                                        ht = HASH_OF(pIter);
-                                                       if (ht) {
+                                                       if (ht && ZEND_HASH_APPLY_PROTECTION(ht)) {
                                                                ht->u.v.nApplyCount++;
                                                        }
                                                        if (my_key == NULL) {
@@ -587,7 +587,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
                                                        } else {
                                                                XMLRPC_AddValueToVector(xReturn, PHP_to_XMLRPC_worker(ZSTR_VAL(my_key), pIter, depth++));
                                                        }
-                                                       if (ht) {
+                                                       if (ht && ZEND_HASH_APPLY_PROTECTION(ht)) {
                                                                ht->u.v.nApplyCount--;
                                                        }
                                                } ZEND_HASH_FOREACH_END();