laruence Fri, 02 Mar 2012 02:51:57 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=323765
Log: MFH: Fix bug #61165 (Segfault - strip_tags()) Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() Changed paths: U php/php-src/branches/PHP_5_4/NEWS A php/php-src/branches/PHP_5_4/Zend/tests/bug61165.phpt U php/php-src/branches/PHP_5_4/Zend/zend_API.c U php/php-src/trunk/NEWS Modified: php/php-src/branches/PHP_5_4/NEWS =================================================================== --- php/php-src/branches/PHP_5_4/NEWS 2012-03-02 02:38:18 UTC (rev 323764) +++ php/php-src/branches/PHP_5_4/NEWS 2012-03-02 02:51:57 UTC (rev 323765) @@ -4,6 +4,7 @@ - Core: . Fixed bug #61225 (Incorect lexing of 0b00*+<NUM>). (Pierrick) + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) - Standard: . Fixed memory leak in substr_replace. (Pierrick) Added: php/php-src/branches/PHP_5_4/Zend/tests/bug61165.phpt =================================================================== --- php/php-src/branches/PHP_5_4/Zend/tests/bug61165.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/Zend/tests/bug61165.phpt 2012-03-02 02:51:57 UTC (rev 323765) @@ -0,0 +1,28 @@ +--TEST-- +Bug #61165 (Segfault - strip_tags()) +--FILE-- +<?php + +$handler = NULL; +class T { + public $_this; + + public function __toString() { + global $handler; + $handler = $this; + $this->_this = $this; // <-- uncoment this + return 'A'; + } +} + +$t = new T; +for ($i = 0; $i < 3; $i++) { + strip_tags($t); + strip_tags(new T); +} +var_dump($handler); +--EXPECTF-- +object(T)#%d (1) { + ["_this"]=> + *RECURSION* +} Modified: php/php-src/branches/PHP_5_4/Zend/zend_API.c =================================================================== --- php/php-src/branches/PHP_5_4/Zend/zend_API.c 2012-03-02 02:38:18 UTC (rev 323764) +++ php/php-src/branches/PHP_5_4/Zend/zend_API.c 2012-03-02 02:51:57 UTC (rev 323765) @@ -262,12 +262,16 @@ static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) { + zval *obj; + MAKE_STD_ZVAL(obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; *pl = Z_STRLEN_PP(arg); *p = Z_STRVAL_PP(arg); return SUCCESS; } + efree(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) == &std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { Modified: php/php-src/trunk/NEWS =================================================================== --- php/php-src/trunk/NEWS 2012-03-02 02:38:18 UTC (rev 323764) +++ php/php-src/trunk/NEWS 2012-03-02 02:51:57 UTC (rev 323765) @@ -6,7 +6,6 @@ . World domination - Core: - . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence) . Fixed bug #61011 (Crash when an exception is thrown by __autoload
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php