From e447baafa1cb697576bc6a9888a3e0ce1b9bb01e Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 26 Jul 2006 09:24:26 +0000 Subject: [PATCH] Fixed bug #38211 (variable name and cookie name match breaks script execution) --- NEWS | 2 + Zend/tests/bug38211.phpt | 10 +++++ Zend/zend_vm_def.h | 12 +++++- Zend/zend_vm_execute.h | 88 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 111 insertions(+), 1 deletion(-) create mode 100755 Zend/tests/bug38211.phpt diff --git a/NEWS b/NEWS index 8c0b3446a6..263262a286 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,8 @@ PHP NEWS - Fixed bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too much memory). (Tony) +- Fixed bug #38211 (variable name and cookie name match breaks script + execution). (Dmitry) - Fixed bug #38194 (ReflectionClass::isSubclassOf() returns TRUE for the class itself). (Ilia) - Fixed bug #38132 (ReflectionClass::getStaticProperties() retains \0 in key diff --git a/Zend/tests/bug38211.phpt b/Zend/tests/bug38211.phpt new file mode 100755 index 0000000000..6ae9430e8b --- /dev/null +++ b/Zend/tests/bug38211.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #38211 (variable name and cookie name match breaks script execution) +--FILE-- + +--EXPECT-- +ok diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 3cf632c49e..9d79dac650 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -2877,12 +2877,14 @@ ZEND_VM_HANDLER(74, ZEND_UNSET_VAR, CONST|TMP|VAR|CV, ANY) zval_copy_ctor(&tmp); convert_to_string(&tmp); varname = &tmp; + } else if (OP1_TYPE == IS_CV || OP1_TYPE == IS_VAR) { + varname->refcount++; } if (opline->op2.u.EA.type == ZEND_FETCH_STATIC_MEMBER) { zend_std_unset_static_property(EX_T(opline->op2.u.var).class_entry, Z_STRVAL_P(varname), Z_STRLEN_P(varname) TSRMLS_CC); } else { - target_symbol_table = zend_get_target_symbol_table(opline, EX(Ts), BP_VAR_IS, varname TSRMLS_CC); + target_symbol_table = zend_get_target_symbol_table(opline, EX(Ts), BP_VAR_IS, varname TSRMLS_CC); if (zend_hash_del(target_symbol_table, varname->value.str.val, varname->value.str.len+1) == SUCCESS) { zend_execute_data *ex = EXECUTE_DATA; ulong hash_value = zend_inline_hash_func(varname->value.str.val, varname->value.str.len+1); @@ -2907,6 +2909,8 @@ ZEND_VM_HANDLER(74, ZEND_UNSET_VAR, CONST|TMP|VAR|CV, ANY) if (varname == &tmp) { zval_dtor(&tmp); + } else if (OP1_TYPE == IS_CV || OP1_TYPE == IS_VAR) { + zval_ptr_dtor(&varname); } FREE_OP1(); ZEND_VM_NEXT_OPCODE(); @@ -2940,6 +2944,9 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, CONST|TMP|VAR|CV) zend_hash_index_del(ht, index); break; case IS_STRING: + if (OP2_TYPE == IS_CV || OP2_TYPE == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -2960,6 +2967,9 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, CONST|TMP|VAR|CV) } } } + if (OP2_TYPE == IS_CV || OP2_TYPE == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index c42937d0f9..badd178321 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -2037,6 +2037,8 @@ static int ZEND_UNSET_VAR_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zval_copy_ctor(&tmp); convert_to_string(&tmp); varname = &tmp; + } else if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + varname->refcount++; } if (opline->op2.u.EA.type == ZEND_FETCH_STATIC_MEMBER) { @@ -2067,6 +2069,8 @@ static int ZEND_UNSET_VAR_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (varname == &tmp) { zval_dtor(&tmp); + } else if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + zval_ptr_dtor(&varname); } ZEND_VM_NEXT_OPCODE(); @@ -4547,6 +4551,8 @@ static int ZEND_UNSET_VAR_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zval_copy_ctor(&tmp); convert_to_string(&tmp); varname = &tmp; + } else if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + varname->refcount++; } if (opline->op2.u.EA.type == ZEND_FETCH_STATIC_MEMBER) { @@ -4577,6 +4583,8 @@ static int ZEND_UNSET_VAR_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (varname == &tmp) { zval_dtor(&tmp); + } else if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + zval_ptr_dtor(&varname); } zval_dtor(free_op1.var); ZEND_VM_NEXT_OPCODE(); @@ -7639,6 +7647,8 @@ static int ZEND_UNSET_VAR_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zval_copy_ctor(&tmp); convert_to_string(&tmp); varname = &tmp; + } else if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + varname->refcount++; } if (opline->op2.u.EA.type == ZEND_FETCH_STATIC_MEMBER) { @@ -7669,6 +7679,8 @@ static int ZEND_UNSET_VAR_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (varname == &tmp) { zval_dtor(&tmp); + } else if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + zval_ptr_dtor(&varname); } if (free_op1.var) {zval_ptr_dtor(&free_op1.var);}; ZEND_VM_NEXT_OPCODE(); @@ -9305,6 +9317,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -9325,6 +9340,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -10774,6 +10792,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -10794,6 +10815,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -12281,6 +12305,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -12301,6 +12328,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -14211,6 +14241,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_CV == IS_CV || IS_CV == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -14231,6 +14264,9 @@ static int ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_CV == IS_CV || IS_CV == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -15394,6 +15430,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -15414,6 +15453,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -16458,6 +16500,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -16478,6 +16523,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -17522,6 +17570,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -17542,6 +17593,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -18958,6 +19012,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_CV == IS_CV || IS_CV == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -18978,6 +19035,9 @@ static int ZEND_UNSET_DIM_SPEC_UNUSED_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_CV == IS_CV || IS_CV == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -20091,6 +20151,8 @@ static int ZEND_UNSET_VAR_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zval_copy_ctor(&tmp); convert_to_string(&tmp); varname = &tmp; + } else if (IS_CV == IS_CV || IS_CV == IS_VAR) { + varname->refcount++; } if (opline->op2.u.EA.type == ZEND_FETCH_STATIC_MEMBER) { @@ -20121,6 +20183,8 @@ static int ZEND_UNSET_VAR_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (varname == &tmp) { zval_dtor(&tmp); + } else if (IS_CV == IS_CV || IS_CV == IS_VAR) { + zval_ptr_dtor(&varname); } ZEND_VM_NEXT_OPCODE(); @@ -21611,6 +21675,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -21631,6 +21698,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -23072,6 +23142,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -23092,6 +23165,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -24570,6 +24646,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -24590,6 +24669,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); @@ -26490,6 +26572,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_hash_index_del(ht, index); break; case IS_STRING: + if (IS_CV == IS_CV || IS_CV == IS_VAR) { + offset->refcount++; + } if (zend_symtable_del(ht, offset->value.str.val, offset->value.str.len+1) == SUCCESS && ht == &EG(symbol_table)) { zend_execute_data *ex; @@ -26510,6 +26595,9 @@ static int ZEND_UNSET_DIM_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) } } } + if (IS_CV == IS_CV || IS_CV == IS_VAR) { + zval_ptr_dtor(&offset); + } break; case IS_NULL: zend_hash_del(ht, "", sizeof("")); -- 2.50.1