Hi!

Doesn't change of zend_objects_API.h change binary API? I'm not sure we
can do it in 5.4.

On 1/8/13 11:30 PM, Dmitry Stogov wrote:
> Commit:    f9e8678dd3a41ed8a100d8201153a41d6fd25f2e
> Author:    Dmitry Stogov <dmi...@zend.com>         Wed, 9 Jan 2013 11:30:50 
> +0400
> Parents:   f3b1b8516906fe900e521216c8f01e362790af30
> Branches:  PHP-5.4 PHP-5.5 master
> 
> Link:       
> http://git.php.net/?p=php-src.git;a=commitdiff;h=f9e8678dd3a41ed8a100d8201153a41d6fd25f2e
> 
> Log:
> Fixed bug #63882 (zend_std_compare_objects crash on recursion)
> 
> Bugs:
> https://bugs.php.net/63882
> 
> Changed paths:
>   M  NEWS
>   A  Zend/tests/bug63882.phpt
>   M  Zend/zend_object_handlers.c
>   M  Zend/zend_objects_API.c
>   M  Zend/zend_objects_API.h
> 
> 
> Diff:
> diff --git a/NEWS b/NEWS
> index 1abd398..cfc0fa9 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -5,6 +5,7 @@ PHP                                                           
>              NEWS
>  - Core:
>    . Fixed bug #63943 (Bad warning text from strpos() on empty needle).
>      (Laruence)
> +  . Fixed bug #63882 (zend_std_compare_objects crash on recursion). (Dmitry)
>  
>  - Litespeed:
>    . Fixed bug #63228 (-Werror=format-security error in lsapi code). (George)
> diff --git a/Zend/tests/bug63882.phpt b/Zend/tests/bug63882.phpt
> new file mode 100644
> index 0000000..0cc1bab
> --- /dev/null
> +++ b/Zend/tests/bug63882.phpt
> @@ -0,0 +1,15 @@
> +--TEST--
> +Bug #63882 (zend_std_compare_objects crash on recursion)
> +--FILE--
> +<?php
> +class Test { public $x = 5; }
> +
> +$testobj1 = new Test;
> +$testobj2 = new Test;
> +$testobj1->x = $testobj1;
> +$testobj2->x = $testobj2;
> +
> +var_dump($testobj1 == $testobj2);
> +?>
> +--EXPECTF--
> +Fatal error: Nesting level too deep - recursive dependency? in 
> %sbug63882.php on line 9
> diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
> index a76dfb3..3881c0e 100644
> --- a/Zend/zend_object_handlers.c
> +++ b/Zend/zend_object_handlers.c
> @@ -35,6 +35,17 @@
>  #define Z_OBJ_P(zval_p) \
>       
> ((zend_object*)(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].bucket.obj.object))
>  
> +#define Z_OBJ_PROTECT_RECURSION(zval_p) \
> +     do { \
> +             if 
> (EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].apply_count++ >= 3) 
> { \
> +                     zend_error(E_ERROR, "Nesting level too deep - recursive 
> dependency?"); \
> +             } \
> +     } while (0)
> +
> +
> +#define Z_OBJ_UNPROTECT_RECURSION(zval_p) \
> +     EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].apply_count--
> +
>  /*
>    __X accessors explanation:
>  
> @@ -1319,28 +1330,43 @@ static int zend_std_compare_objects(zval *o1, zval 
> *o2 TSRMLS_DC) /* {{{ */
>       }
>       if (!zobj1->properties && !zobj2->properties) {
>               int i;
> +
> +             Z_OBJ_PROTECT_RECURSION(o1);
> +             Z_OBJ_PROTECT_RECURSION(o2);
>               for (i = 0; i < zobj1->ce->default_properties_count; i++) {
>                       if (zobj1->properties_table[i]) {
>                               if (zobj2->properties_table[i]) {
>                                       zval result;
>  
>                                       if (compare_function(&result, 
> zobj1->properties_table[i], zobj2->properties_table[i] TSRMLS_CC)==FAILURE) {
> +                                             Z_OBJ_UNPROTECT_RECURSION(o1);
> +                                             Z_OBJ_UNPROTECT_RECURSION(o2);
>                                               return 1;
>                                       }
>                                       if (Z_LVAL(result) != 0) {
> +                                             Z_OBJ_UNPROTECT_RECURSION(o1);
> +                                             Z_OBJ_UNPROTECT_RECURSION(o2);
>                                               return Z_LVAL(result);
>                                       }
>                               } else {
> +                                     Z_OBJ_UNPROTECT_RECURSION(o1);
> +                                     Z_OBJ_UNPROTECT_RECURSION(o2);
>                                       return 1;
>                               }
>                       } else {
>                               if (zobj2->properties_table[i]) {
> +                                     Z_OBJ_UNPROTECT_RECURSION(o1);
> +                                     Z_OBJ_UNPROTECT_RECURSION(o2);
>                                       return 1;
>                               } else {
> +                                     Z_OBJ_UNPROTECT_RECURSION(o1);
> +                                     Z_OBJ_UNPROTECT_RECURSION(o2);
>                                       return 0;
>                               }
>                       }
>               }
> +             Z_OBJ_UNPROTECT_RECURSION(o1);
> +             Z_OBJ_UNPROTECT_RECURSION(o2);
>               return 0;
>       } else {
>               if (!zobj1->properties) {
> diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
> index 4f3561e..1fe5d0c 100644
> --- a/Zend/zend_objects_API.c
> +++ b/Zend/zend_objects_API.c
> @@ -117,6 +117,7 @@ ZEND_API zend_object_handle zend_objects_store_put(void 
> *object, zend_objects_st
>       obj = &EG(objects_store).object_buckets[handle].bucket.obj;
>       EG(objects_store).object_buckets[handle].destructor_called = 0;
>       EG(objects_store).object_buckets[handle].valid = 1;
> +     EG(objects_store).object_buckets[handle].apply_count = 0;
>  
>       obj->refcount = 1;
>       GC_OBJ_INIT(obj);
> diff --git a/Zend/zend_objects_API.h b/Zend/zend_objects_API.h
> index c973b7a..a6ea9b8 100644
> --- a/Zend/zend_objects_API.h
> +++ b/Zend/zend_objects_API.h
> @@ -31,6 +31,7 @@ typedef void (*zend_objects_store_clone_t)(void *object, 
> void **object_clone TSR
>  typedef struct _zend_object_store_bucket {
>       zend_bool destructor_called;
>       zend_bool valid;
> +     zend_uchar apply_count;
>       union _store_bucket {
>               struct _store_object {
>                       void *object;
> 
> 


-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to