From: Xinchen Hui Date: Tue, 7 Aug 2018 04:36:36 +0000 (+0800) Subject: Fixed bug #76713 (Segmentation fault caused by property corruption) X-Git-Tag: php-7.3.0beta2~14 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2b1d79ce6661efdfae881884ca40b4ca7fc991e7;p=php Fixed bug #76713 (Segmentation fault caused by property corruption) --- diff --git a/NEWS b/NEWS index 5ad7f9ad59..c1c62716f8 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,10 @@ PHP NEWS . Fixed bug #76595 (phpdbg man page contains outdated information). (Kevin Abel) +- Standard: + . Fixed bug #76713 (Segmentation fault caused by property corruption). + (Laruence) + - zlib: . Fixed bug #65988 (Zlib version check fails when an include/zlib/ style dir is passed to the --with-zlib configure option). (Jay Bonci) diff --git a/ext/standard/array.c b/ext/standard/array.c index ed917d71d0..187b7182a4 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -4113,6 +4113,9 @@ static inline zval *array_column_fetch_prop(zval *data, zval *name, zval *rv) /* prop = Z_OBJ_HANDLER_P(data, read_property)(data, name, BP_VAR_R, NULL, rv); if (prop) { ZVAL_DEREF(prop); + if (prop != rv) { + Z_TRY_ADDREF_P(prop); + } } } } else if (Z_TYPE_P(data) == IS_ARRAY) { diff --git a/ext/standard/tests/array/bug76713.phpt b/ext/standard/tests/array/bug76713.phpt new file mode 100644 index 0000000000..0c993f5721 --- /dev/null +++ b/ext/standard/tests/array/bug76713.phpt @@ -0,0 +1,39 @@ +--TEST-- +Bug #76713 (Segmentation fault caused by property corruption) +--FILE-- +prop = str_pad("a", 10, 'a'); + +test($obj); +test($obj); +test($obj); + +var_dump($obj->prop); + +class C { + public $name; + public function __get($name) { + return $this->name; + } +} + +$obj = new C; + +$obj->name = str_pad("b", 10, 'b'); + +test($obj); +test($obj); +test($obj); + +var_dump($obj->prop); +?> +--EXPECT-- +string(10) "aaaaaaaaaa" +string(10) "bbbbbbbbbb"