Commit: f9e8678dd3a41ed8a100d8201153a41d6fd25f2e Author: Dmitry Stogov <dmi...@zend.com> Wed, 9 Jan 2013 11:30:50 +0400 Parents: f3b1b8516906fe900e521216c8f01e362790af30 Branches: PHP-5.4 PHP-5.5 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=f9e8678dd3a41ed8a100d8201153a41d6fd25f2e Log: Fixed bug #63882 (zend_std_compare_objects crash on recursion) Bugs: https://bugs.php.net/63882 Changed paths: M NEWS A Zend/tests/bug63882.phpt M Zend/zend_object_handlers.c M Zend/zend_objects_API.c M Zend/zend_objects_API.h Diff: diff --git a/NEWS b/NEWS index 1abd398..cfc0fa9 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,7 @@ PHP NEWS - Core: . Fixed bug #63943 (Bad warning text from strpos() on empty needle). (Laruence) + . Fixed bug #63882 (zend_std_compare_objects crash on recursion). (Dmitry) - Litespeed: . Fixed bug #63228 (-Werror=format-security error in lsapi code). (George) diff --git a/Zend/tests/bug63882.phpt b/Zend/tests/bug63882.phpt new file mode 100644 index 0000000..0cc1bab --- /dev/null +++ b/Zend/tests/bug63882.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #63882 (zend_std_compare_objects crash on recursion) +--FILE-- +<?php +class Test { public $x = 5; } + +$testobj1 = new Test; +$testobj2 = new Test; +$testobj1->x = $testobj1; +$testobj2->x = $testobj2; + +var_dump($testobj1 == $testobj2); +?> +--EXPECTF-- +Fatal error: Nesting level too deep - recursive dependency? in %sbug63882.php on line 9 diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index a76dfb3..3881c0e 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -35,6 +35,17 @@ #define Z_OBJ_P(zval_p) \ ((zend_object*)(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].bucket.obj.object)) +#define Z_OBJ_PROTECT_RECURSION(zval_p) \ + do { \ + if (EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].apply_count++ >= 3) { \ + zend_error(E_ERROR, "Nesting level too deep - recursive dependency?"); \ + } \ + } while (0) + + +#define Z_OBJ_UNPROTECT_RECURSION(zval_p) \ + EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].apply_count-- + /* __X accessors explanation: @@ -1319,28 +1330,43 @@ static int zend_std_compare_objects(zval *o1, zval *o2 TSRMLS_DC) /* {{{ */ } if (!zobj1->properties && !zobj2->properties) { int i; + + Z_OBJ_PROTECT_RECURSION(o1); + Z_OBJ_PROTECT_RECURSION(o2); for (i = 0; i < zobj1->ce->default_properties_count; i++) { if (zobj1->properties_table[i]) { if (zobj2->properties_table[i]) { zval result; if (compare_function(&result, zobj1->properties_table[i], zobj2->properties_table[i] TSRMLS_CC)==FAILURE) { + Z_OBJ_UNPROTECT_RECURSION(o1); + Z_OBJ_UNPROTECT_RECURSION(o2); return 1; } if (Z_LVAL(result) != 0) { + Z_OBJ_UNPROTECT_RECURSION(o1); + Z_OBJ_UNPROTECT_RECURSION(o2); return Z_LVAL(result); } } else { + Z_OBJ_UNPROTECT_RECURSION(o1); + Z_OBJ_UNPROTECT_RECURSION(o2); return 1; } } else { if (zobj2->properties_table[i]) { + Z_OBJ_UNPROTECT_RECURSION(o1); + Z_OBJ_UNPROTECT_RECURSION(o2); return 1; } else { + Z_OBJ_UNPROTECT_RECURSION(o1); + Z_OBJ_UNPROTECT_RECURSION(o2); return 0; } } } + Z_OBJ_UNPROTECT_RECURSION(o1); + Z_OBJ_UNPROTECT_RECURSION(o2); return 0; } else { if (!zobj1->properties) { diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 4f3561e..1fe5d0c 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -117,6 +117,7 @@ ZEND_API zend_object_handle zend_objects_store_put(void *object, zend_objects_st obj = &EG(objects_store).object_buckets[handle].bucket.obj; EG(objects_store).object_buckets[handle].destructor_called = 0; EG(objects_store).object_buckets[handle].valid = 1; + EG(objects_store).object_buckets[handle].apply_count = 0; obj->refcount = 1; GC_OBJ_INIT(obj); diff --git a/Zend/zend_objects_API.h b/Zend/zend_objects_API.h index c973b7a..a6ea9b8 100644 --- a/Zend/zend_objects_API.h +++ b/Zend/zend_objects_API.h @@ -31,6 +31,7 @@ typedef void (*zend_objects_store_clone_t)(void *object, void **object_clone TSR typedef struct _zend_object_store_bucket { zend_bool destructor_called; zend_bool valid; + zend_uchar apply_count; union _store_bucket { struct _store_object { void *object; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php