From 79864e31c1499f6dd0c9fb1ba4ff076ec7c19783 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Fri, 29 Apr 2005 07:03:35 +0000 Subject: [PATCH] Fixed bug #32852 (Crash with singleton and __destruct when zend.ze1_compatibility_mode = On) Fixed bug #31828 (Crash with zend.ze1_compatibility_mode=On) Fixed bug #32080 (segfault when assigning object to itself with zend.ze1_compatibility_mode=On) --- NEWS | 5 +++++ Zend/tests/bug31828.phpt | 19 +++++++++++++++++++ Zend/tests/bug32080.phpt | 14 ++++++++++++++ Zend/tests/bug32852.phpt | 37 +++++++++++++++++++++++++++++++++++++ Zend/zend_execute.c | 26 +++++++++++++++----------- 5 files changed, 90 insertions(+), 11 deletions(-) create mode 100644 Zend/tests/bug31828.phpt create mode 100644 Zend/tests/bug32080.phpt create mode 100644 Zend/tests/bug32852.phpt diff --git a/NEWS b/NEWS index d8922921b3..26a2db0781 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,8 @@ PHP NEWS - Fixed ext/mysqli to allocate less memory when fetching bound params of type (MEDIUM|LONG)BLOB/(MEDIUM|LONG)TEXT. (Andrey) - Fixed memory corruption in ImageTTFText() with 64bit systems. (Andrey) +- Fixed bug #32852 (Crash with singleton and __destruct when + zend.ze1_compatibility_mode = On). (Dmitry) - Fixed bug #32813 (parse_url() does not handle scheme-only urls properly). (Ilia) - Fixed bug #32809 (Missing T1LIB support on Windows). (Edin) - Fixed bug #32802 (General cookie overrides more specific cookie). (Ilia) @@ -46,10 +48,13 @@ PHP NEWS - Fixed bug #32282 (Segfault in mysqli_fetch_array on 64-bit). (Georg) - Fixed bug #32245 (xml_parser_free() in a function assigned to the xml parser gives a segfault). (Rob) +- Fixed bug #32080 (segfault when assigning object to itself with + zend.ze1_compatibility_mode=On). (Dmitry) - Fixed bug #32013 (ext/mysqli bind_result causes fatal error: memory limit). (Andrey) - Fixed bug #31887 (ISAPI: Custom 5xx error does not return correct HTTP response message). (Jani) +- Fixed bug #31828 (Crash with zend.ze1_compatibility_mode=On). (Dmitry) - Fixed bug #31668 (multi_query works exactly every other time - multi query d/e flag global and not per connection). (Andrey) - Fixed bug #31636 (another crash when echoing a COM object). (Wez) diff --git a/Zend/tests/bug31828.phpt b/Zend/tests/bug31828.phpt new file mode 100644 index 0000000000..a2651d3e24 --- /dev/null +++ b/Zend/tests/bug31828.phpt @@ -0,0 +1,19 @@ +--TSTE-- +Bug #31828 (Crash with zend.ze1_compatibility_mode=On) +--INI-- +zend.ze1_compatibility_mode=on +--FILE-- +id = 77; +$o->name = "Aerospace"; +$a[] = $o; +$a = $a[0]; +print_r($a); +?> +--EXPECT-- +stdClass Object +( + [id] => 77 + [name] => Aerospace +) diff --git a/Zend/tests/bug32080.phpt b/Zend/tests/bug32080.phpt new file mode 100644 index 0000000000..c6430235c1 --- /dev/null +++ b/Zend/tests/bug32080.phpt @@ -0,0 +1,14 @@ +--TSTE-- +Bug #32080 (segfault when assigning object to itself with zend.ze1_compatibility_mode=On) +--INI-- +zend.ze1_compatibility_mode=on +--FILE-- + +--EXPECT-- +object(test)#2 (0) { +} diff --git a/Zend/tests/bug32852.phpt b/Zend/tests/bug32852.phpt new file mode 100644 index 0000000000..7f2b14df21 --- /dev/null +++ b/Zend/tests/bug32852.phpt @@ -0,0 +1,37 @@ +--TEST-- +Bug #32852 (Crash with singleton and __destruct when zend.ze1_compatibility_mode = On) +--INI-- +zend.ze1_compatibility_mode=on +--FILE-- + +--EXPECTF-- +Strict Standards: Implicit cloning object of class 'crashme' because of 'zend.ze1_compatibility_mode' in %sbug32852.php on line 6 +i'm called + +Strict Standards: Implicit cloning object of class 'crashme' because of 'zend.ze1_compatibility_mode' in %sbug32852.php on line 15 +i'm called + +Strict Standards: Implicit cloning object of class 'crashme' because of 'zend.ze1_compatibility_mode' in %sbug32852.php on line 17 +i'm called +i'm called diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index a1512d8c2d..e282f9056f 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -568,7 +568,7 @@ static inline void zend_assign_to_variable(znode *result, znode *op1, znode *op2 if (Z_OBJ_HANDLER_P(value, clone_obj) == NULL) { zend_error(E_ERROR, "Trying to clone an uncloneable object of class %s", Z_OBJCE_P(value)->name); } else if (PZVAL_IS_REF(variable_ptr)) { - if (variable_ptr != value) { + if (variable_ptr != value) { zend_uint refcount = variable_ptr->refcount; zval garbage; @@ -587,17 +587,21 @@ static inline void zend_assign_to_variable(znode *result, znode *op1, znode *op2 zendi_zval_dtor(garbage); } } else { - variable_ptr->refcount--; - if (variable_ptr->refcount == 0) { - zendi_zval_dtor(*variable_ptr); - } else { - ALLOC_ZVAL(variable_ptr); - *variable_ptr_ptr = variable_ptr; + if (variable_ptr != value) { + value->refcount++; + variable_ptr->refcount--; + if (variable_ptr->refcount == 0) { + zendi_zval_dtor(*variable_ptr); + } else { + ALLOC_ZVAL(variable_ptr); + *variable_ptr_ptr = variable_ptr; + } + *variable_ptr = *value; + INIT_PZVAL(variable_ptr); + zend_error(E_STRICT, "Implicit cloning object of class '%s' because of 'zend.ze1_compatibility_mode'", Z_OBJCE_P(value)->name); + variable_ptr->value.obj = Z_OBJ_HANDLER_P(value, clone_obj)(value TSRMLS_CC); + zval_ptr_dtor(&value); } - *variable_ptr = *value; - INIT_PZVAL(variable_ptr); - zend_error(E_STRICT, "Implicit cloning object of class '%s' because of 'zend.ze1_compatibility_mode'", Z_OBJCE_P(value)->name); - variable_ptr->value.obj = Z_OBJ_HANDLER_P(value, clone_obj)(value TSRMLS_CC); } } else if (PZVAL_IS_REF(variable_ptr)) { if (variable_ptr!=value) { -- 2.50.1