<?php
class MyTextSanitizer
{
var $smileys=array()
function MyTextSanitizer() {}
function getSmileys()
{
return $this->smileys;
}
}
$myts = new MyTextSanitizer();
$smiles =& $myts->getSmileys(); //calling by ref alone causes improper
?>
The opcodes for the above script
ZEND_FETCH_CLASS
ZEND_NEW (Increases the refcount of smileys array from 1 to 2.
zend_declare class made it 1 from 0)
ZEND_JMP_NO_CTOR (Not executed)
ZEND_INIT_CTOR_CALL (No change in smileys refcount)
ZEND_DO_FCALL_BY_NAME(No change in smileys refcount)
ZEND_FETCH_W(No change in smileys refcount)
ZEND_ASSIGN(No change in smileys refcount)
ZEND_FETCH_R(No change in smileys refcount)
ZEND_INIT_METHOD_CALL(No change in smileys refcount)
ZEND_DO_FCALL_BY_NAME(Increases the refcount of smileys array from 2 to
3)
ZEND_FETCH_W(No change in smileys refcount)
ZEND_ASSIGN_REF(Increases the refcount of smileys array from 3 to 1.
_get_zval_ptr_ptr on &opline->op2 makes it 3 to 2.
zend_assign_to_variable_reference(&opline->result,
get_zval_ptr_ptr(&opline->op1, EX(Ts), BP_VAR_W), value_ptr_ptr, EX(Ts)
TSRMLS_CC); decreases it from 2 to 1)
ZEND_RETURN
ZEND_HANDLE_EXCEPTION
object destructor reduces the refcount from 1 to 0 and destroys the
$smileys. zend_destroy_class now attempts to destroy it again. This
causes a segfault.
With regards
Kamesh Jayachandran
On Wed, 06 Apr 2005 00:18:35 -0700, "Kamesh Jayachandran"
<[EMAIL PROTECTED]> said:
> It happens in php-5.0.4 also.
>
> With regards
> Kamesh Jayachandran
> On Wed, 6 Apr 2005 09:16:34 +0200 (CEST), "Derick Rethans"
> <[EMAIL PROTECTED]> said:
> > On Wed, 6 Apr 2005, Kamesh Jayachandran wrote:
> >
> > > Hi All,
> > > I have come across a double free because of improper refcount
> > > manipulation.
> > > <?php
> > > class MyTextSanitizer
> > > {
> > > var $smileys=array()
> > > function MyTextSanitizer() {}
> > > function getSmileys()
> > > {
> > > return $this->smileys;
> > > }
> > > }
> > > $myts = new MyTextSanitizer();
> > > $smiles =& $myts->getSmileys(); //calling by ref alone causes improper
> > > refcount
> > > $smiles = $myts->getSmileys(); //this does not cause improper refcount
> > > ?>
> >
> > This fact is known, Marcus and I have a working patch for this - but
> > it'll break binairy compat for PHP 4.4 - stay tuned for this.
> >
> > regards,
> > Derick
> >
> > --
> > Derick Rethans
> > http://derickrethans.nl | http://ez.no | http://xdebug.org
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
