From: Johannes Schlüter Date: Wed, 27 Jun 2012 21:26:33 +0000 (+0200) Subject: Fix #62432 ReflectionMethod random corrupt memory on high concurrent X-Git-Tag: php-5.3.15RC1~7^2~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b025b9d0cf9921d26fc4dad43cf26390d0a8c5dd;p=php Fix #62432 ReflectionMethod random corrupt memory on high concurrent This fixes the same issue in multiple extensions. This isn't needed in later branches as 5.4 introduced object_properties_init() --- diff --git a/NEWS b/NEWS index 79db5c6b7b..520aa192f2 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,8 @@ PHP NEWS . Fixed CVE-2012-2143. (Solar Designer) . Fixed potential overflow in _php_stream_scandir. (Jason Powell, Stas) + . Fixed bug #62432 (ReflectionMethod random corrupt memory on high + concurrent). (Johannes) - Fileinfo: . Fixed magic file regex support. (Felipe) diff --git a/ext/date/php_date.c b/ext/date/php_date.c index ab4cc49442..527894d223 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2035,7 +2035,7 @@ static inline zend_object_value date_object_new_date_ex(zend_class_entry *class_ } zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_date, NULL TSRMLS_CC); retval.handlers = &date_object_handlers_date; @@ -2159,7 +2159,7 @@ static inline zend_object_value date_object_new_timezone_ex(zend_class_entry *cl } zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_timezone, NULL TSRMLS_CC); retval.handlers = &date_object_handlers_timezone; @@ -2215,7 +2215,7 @@ static inline zend_object_value date_object_new_interval_ex(zend_class_entry *cl } zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_interval, NULL TSRMLS_CC); retval.handlers = &date_object_handlers_interval; @@ -2291,7 +2291,7 @@ static inline zend_object_value date_object_new_period_ex(zend_class_entry *clas } zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_period, NULL TSRMLS_CC); retval.handlers = &date_object_handlers_period; diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c index 2c0e39a714..36c5e392eb 100644 --- a/ext/fileinfo/fileinfo.c +++ b/ext/fileinfo/fileinfo.c @@ -104,7 +104,7 @@ PHP_FILEINFO_API zend_object_value finfo_objects_new(zend_class_entry *class_typ memset(intern, 0, sizeof(struct finfo_object)); zend_object_std_init(&intern->zo, class_type TSRMLS_CC); - zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *)); intern->ptr = NULL; diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c index 1c3bb8a8b3..6b3ba3bb1b 100755 --- a/ext/pdo/pdo_dbh.c +++ b/ext/pdo/pdo_dbh.c @@ -1580,7 +1580,7 @@ zend_object_value pdo_dbh_new(zend_class_entry *ce TSRMLS_DC) dbh->refcount = 1; ALLOC_HASHTABLE(dbh->properties); zend_hash_init(dbh->properties, 0, NULL, ZVAL_PTR_DTOR, 0); - zend_hash_copy(dbh->properties, &ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(dbh->properties, &ce->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); dbh->def_stmt_ce = pdo_dbstmt_ce; retval.handle = zend_objects_store_put(dbh, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbh_free_storage, NULL TSRMLS_CC); diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c index f2828499f7..0cf0cf852a 100755 --- a/ext/pdo/pdo_stmt.c +++ b/ext/pdo/pdo_stmt.c @@ -2466,7 +2466,7 @@ zend_object_value pdo_dbstmt_new(zend_class_entry *ce TSRMLS_DC) stmt->refcount = 1; ALLOC_HASHTABLE(stmt->properties); zend_hash_init(stmt->properties, 0, NULL, ZVAL_PTR_DTOR, 0); - zend_hash_copy(stmt->properties, &ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(stmt->properties, &ce->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(stmt, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbstmt_free_storage, (zend_objects_store_clone_t)dbstmt_clone_obj TSRMLS_CC); retval.handlers = &pdo_dbstmt_object_handlers; diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c index 180ce8f91a..e98652ba23 100644 --- a/ext/reflection/php_reflection.c +++ b/ext/reflection/php_reflection.c @@ -314,7 +314,7 @@ static zend_object_value reflection_objects_new(zend_class_entry *class_type TSR intern->zo.ce = class_type; zend_object_std_init(&intern->zo, class_type TSRMLS_CC); - zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, NULL, reflection_free_objects_storage, NULL TSRMLS_CC); retval.handlers = &reflection_object_handlers; return retval; diff --git a/ext/soap/soap.c b/ext/soap/soap.c index 87391ab76d..120f78071b 100644 --- a/ext/soap/soap.c +++ b/ext/soap/soap.c @@ -1265,7 +1265,7 @@ PHP_METHOD(SoapServer, SoapServer) ALLOC_HASHTABLE(service->class_map); zend_hash_init(service->class_map, zend_hash_num_elements((*tmp)->value.ht), NULL, ZVAL_PTR_DTOR, 0); - zend_hash_copy(service->class_map, (*tmp)->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &ztmp, sizeof(zval *)); + zend_hash_copy(service->class_map, (*tmp)->value.ht, (copy_ctor_func_t) zval_property_ctor, (void *) &ztmp, sizeof(zval *)); } if (zend_hash_find(ht, "typemap", sizeof("typemap"), (void**)&tmp) == SUCCESS && diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 5bbab907e4..80ca5be612 100755 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -174,7 +174,7 @@ static zend_object_value spl_array_object_new_ex(zend_class_entry *class_type, s ALLOC_INIT_ZVAL(intern->retval); zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); intern->ar_flags = 0; intern->serialize_data = NULL; diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index aaa256de7b..4f8edb5211 100755 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -158,7 +158,7 @@ static zend_object_value spl_filesystem_object_new_ex(zend_class_entry *class_ty if (obj) *obj = intern; zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t) zend_objects_destroy_object, (zend_objects_free_object_storage_t) spl_filesystem_object_free_storage, NULL TSRMLS_CC); retval.handlers = &spl_filesystem_object_handlers; diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c index 84afdd6849..0774857cc3 100644 --- a/ext/spl/spl_dllist.c +++ b/ext/spl/spl_dllist.c @@ -376,7 +376,7 @@ static zend_object_value spl_dllist_object_new_ex(zend_class_entry *class_type, ALLOC_INIT_ZVAL(intern->retval); zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); intern->flags = 0; intern->traverse_position = 0; diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c index 4cd78f3774..ee8f51eb33 100644 --- a/ext/spl/spl_fixedarray.c +++ b/ext/spl/spl_fixedarray.c @@ -215,7 +215,7 @@ static zend_object_value spl_fixedarray_object_new_ex(zend_class_entry *class_ty ALLOC_INIT_ZVAL(intern->retval); zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); intern->current = 0; intern->flags = 0; diff --git a/ext/spl/spl_heap.c b/ext/spl/spl_heap.c index a0055f410d..a663422a27 100644 --- a/ext/spl/spl_heap.c +++ b/ext/spl/spl_heap.c @@ -394,7 +394,7 @@ static zend_object_value spl_heap_object_new_ex(zend_class_entry *class_type, sp ALLOC_INIT_ZVAL(intern->retval); zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); intern->flags = 0; intern->fptr_cmp = NULL; diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c index ddcdedbd69..eecd483ba7 100755 --- a/ext/spl/spl_iterators.c +++ b/ext/spl/spl_iterators.c @@ -921,7 +921,7 @@ static zend_object_value spl_RecursiveIteratorIterator_new_ex(zend_class_entry * } zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)spl_RecursiveIteratorIterator_dtor, (zend_objects_free_object_storage_t) spl_RecursiveIteratorIterator_free_storage, NULL TSRMLS_CC); retval.handlers = &spl_handlers_rec_it_it; diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index a1e497ec5e..85bbeec731 100755 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -206,7 +206,7 @@ static zend_object_value spl_object_storage_new_ex(zend_class_entry *class_type, *obj = intern; zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); zend_hash_init(&intern->storage, 0, NULL, (void (*)(void *))spl_object_storage_dtor, 0); diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c index 15517db909..a7070a9b06 100644 --- a/ext/sqlite/sqlite.c +++ b/ext/sqlite/sqlite.c @@ -1166,7 +1166,7 @@ static void sqlite_object_new(zend_class_entry *class_type, zend_object_handlers memset(intern, 0, sizeof(sqlite_object)); zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval->handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) sqlite_object_free_storage, NULL TSRMLS_CC); retval->handlers = handlers; diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index e793206624..d3314d3f86 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -2134,7 +2134,7 @@ static zend_object_value php_sqlite3_object_new(zend_class_entry *class_type TSR zend_llist_init(&(intern->free_list), sizeof(php_sqlite3_free_list *), (llist_dtor_func_t)php_sqlite3_free_list_dtor, 0); zend_object_std_init(&intern->zo, class_type TSRMLS_CC); - zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, NULL, (zend_objects_free_object_storage_t) php_sqlite3_object_free_storage, NULL TSRMLS_CC); retval.handlers = (zend_object_handlers *) &sqlite3_object_handlers; @@ -2156,7 +2156,7 @@ static zend_object_value php_sqlite3_stmt_object_new(zend_class_entry *class_typ intern->db_obj_zval = NULL; zend_object_std_init(&intern->zo, class_type TSRMLS_CC); - zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, NULL, (zend_objects_free_object_storage_t) php_sqlite3_stmt_object_free_storage, NULL TSRMLS_CC); retval.handlers = (zend_object_handlers *) &sqlite3_stmt_object_handlers; @@ -2180,7 +2180,7 @@ static zend_object_value php_sqlite3_result_object_new(zend_class_entry *class_t intern->stmt_obj_zval = NULL; zend_object_std_init(&intern->zo, class_type TSRMLS_CC); - zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, NULL, (zend_objects_free_object_storage_t) php_sqlite3_result_object_free_storage, NULL TSRMLS_CC); retval.handlers = (zend_object_handlers *) &sqlite3_result_object_handlers; diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index 619d5a3a6a..529929342f 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -687,7 +687,7 @@ static void tidy_object_new(zend_class_entry *class_type, zend_object_handlers * memset(intern, 0, sizeof(PHPTidyObj)); zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); switch(objtype) { case is_node: diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c index 4ffdb179ff..7a4cd0e718 100644 --- a/ext/xmlreader/php_xmlreader.c +++ b/ext/xmlreader/php_xmlreader.c @@ -401,7 +401,7 @@ zend_object_value xmlreader_objects_new(zend_class_entry *class_type TSRMLS_DC) intern->prop_handler = &xmlreader_prop_handlers; zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) xmlreader_objects_free_storage, xmlreader_objects_clone TSRMLS_CC); intern->handle = retval.handle; retval.handlers = &xmlreader_object_handlers; diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c index 588ca4bf3a..c1152eb113 100644 --- a/ext/xmlwriter/php_xmlwriter.c +++ b/ext/xmlwriter/php_xmlwriter.c @@ -151,7 +151,7 @@ static zend_object_value xmlwriter_object_new(zend_class_entry *class_type TSRML intern->xmlwriter_ptr = NULL; zend_object_std_init(&intern->zo, class_type TSRMLS_CC); - zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, + zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern, diff --git a/ext/xsl/php_xsl.c b/ext/xsl/php_xsl.c index 7262e7804a..6f7237d57d 100644 --- a/ext/xsl/php_xsl.c +++ b/ext/xsl/php_xsl.c @@ -129,7 +129,7 @@ zend_object_value xsl_objects_new(zend_class_entry *class_type TSRMLS_DC) intern->profiling = NULL; zend_object_std_init(&intern->std, class_type TSRMLS_CC); - zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); + zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); ALLOC_HASHTABLE(intern->parameter); zend_hash_init(intern->parameter, 0, NULL, ZVAL_PTR_DTOR, 0); ALLOC_HASHTABLE(intern->registered_phpfunctions); diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index e6a30a0066..75f98b591f 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -1104,7 +1104,7 @@ static zend_object_value php_zip_object_new(zend_class_entry *class_type TSRMLS_ intern->zo.ce = class_type; #endif - zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, + zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *)); retval.handle = zend_objects_store_put(intern,