From: Xinchen Hui <laruence@gmail.com>
Date: Sun, 20 Mar 2016 11:52:57 +0000 (-0700)
Subject: Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced memory... 
X-Git-Tag: php-7.0.6RC1~90
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9564998e490092fdefa6630944e38692c75e30de;p=php

Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing)
---

diff --git a/NEWS b/NEWS
index 0a93b9824d..d97e7c5a80 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core: 
   . Added ability to disable huge pages in Zend Memory Manager through
     the environment variable USE_ZEND_ALLOC_HUGE_PAGES=0. (Dmitry)
+  . Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced
+    memory, crashing). (Laruence)
   . Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)
 
 - ODBC:
diff --git a/Zend/tests/bug71859.phpt b/Zend/tests/bug71859.phpt
new file mode 100644
index 0000000000..5b62209a1b
--- /dev/null
+++ b/Zend/tests/bug71859.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing)
+--FILE--
+<?php
+class constructs_in_destructor {
+  public function __destruct() {
+    //We are now in zend_objects_store_call_destructors
+    //This causes a realloc in zend_objects_store_put
+    for ($i = 0; $i < 10000; ++$i) {
+      $GLOBALS["a$i"] = new stdClass;
+    }
+    //Returns to zend_objects_store_call_destructors, to access freed memory.
+  }
+}
+
+$a = new constructs_in_destructor;
+//Create cycle so destructors are ran only in zend_objects_store_call_destructors
+$a->a = $a;
+
+// Create some objects so zend_objects_store_call_destructors has something
+// to do after constructs_in_destructor is destroyed.
+for ($i = 0; $i < 200; ++$i) {
+  $GLOBALS["b$i"] = new stdClass;
+}
+?>
+okey
+--EXPECT--
+okey
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index 6ca190eabe..00d9425f18 100644
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -44,12 +44,9 @@ ZEND_API void zend_objects_store_destroy(zend_objects_store *objects)
 ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects)
 {
 	if (objects->top > 1) {
-		zend_object **obj_ptr = objects->object_buckets + 1;
-		zend_object **end = objects->object_buckets + objects->top;
-
-		do {
-			zend_object *obj = *obj_ptr;
-
+		uint32_t i;
+		for (i = 1; i < objects->top; i++) {
+			zend_object *obj = objects->object_buckets[i];
 			if (IS_OBJ_VALID(obj)) {
 				if (!(GC_FLAGS(obj) & IS_OBJ_DESTRUCTOR_CALLED)) {
 					GC_FLAGS(obj) |= IS_OBJ_DESTRUCTOR_CALLED;
@@ -58,8 +55,7 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects)
 					GC_REFCOUNT(obj)--;
 				}
 			}
-			obj_ptr++;
-		} while (obj_ptr != end);
+		}
 	}
 }