From d54220bc795a7025a162c61128c98a7af14087a4 Mon Sep 17 00:00:00 2001 From: Asher Baker Date: Tue, 18 Jun 2019 15:05:38 +0100 Subject: [PATCH] Fix #78173: XML-RPC mutates immutable objects during encoding With opcache.protect_memory=1 enabled, the XML-RPC extension causes a segfault on PHP 7.2 as it is modifying the recursion counter of objects it touches, without first checking if they are immutable or not. This doesn't affect 7.3+ --- NEWS | 3 +++ ext/xmlrpc/xmlrpc-epi-php.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index d02a6ce985..92de1e479e 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2019, PHP 7.2.21 +- XMLRPC: + . Fixed #78173 (XML-RPC mutates immutable objects during encoding). (Asher + Baker) 27 Jun 2019, PHP 7.2.20 diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 36fbff123c..69d9658a77 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -556,7 +556,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep XMLRPC_VECTOR_TYPE vtype; ht = HASH_OF(&val); - if (ht && ht->u.v.nApplyCount > 1) { + if (ht && ZEND_HASH_APPLY_PROTECTION(ht) && ht->u.v.nApplyCount > 1) { zend_throw_error(NULL, "XML-RPC doesn't support circular references"); return NULL; } @@ -570,7 +570,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL(val_arr), num_index, my_key, pIter) { ZVAL_DEREF(pIter); ht = HASH_OF(pIter); - if (ht) { + if (ht && ZEND_HASH_APPLY_PROTECTION(ht)) { ht->u.v.nApplyCount++; } if (my_key == NULL) { @@ -587,7 +587,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep } else { XMLRPC_AddValueToVector(xReturn, PHP_to_XMLRPC_worker(ZSTR_VAL(my_key), pIter, depth++)); } - if (ht) { + if (ht && ZEND_HASH_APPLY_PROTECTION(ht)) { ht->u.v.nApplyCount--; } } ZEND_HASH_FOREACH_END(); -- 2.49.0