[PHP-CVS] com php-src: Fixed invalid read in CONST_STRING dereference, reported by Nikic: Zend/zend_language_parser.y
Commit:ba568aaebb3f3c788a5551c016c0afafd7a5502e
Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 00:29:39
+0800
Parents: 0fbc8561e687689f796d95584cea1fa959eee83b
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=ba568aaebb3f3c788a5551c016c0afafd7a5502e
Log:
Fixed invalid read in CONST_STRING dereference, reported by Nikic
Changed paths:
M Zend/zend_language_parser.y
Diff:
diff --git a/Zend/zend_language_parser.y b/Zend/zend_language_parser.y
index e397fe1..c88e9a7 100644
--- a/Zend/zend_language_parser.y
+++ b/Zend/zend_language_parser.y
@@ -802,7 +802,7 @@ expr_without_variable:
combined_scalar_offset:
combined_scalar '[' dim_offset ']' {
zend_do_begin_variable_parse(TSRMLS_C); fetch_array_dim($$, $1, $3
TSRMLS_CC); }
| combined_scalar_offset '[' dim_offset ']' { fetch_array_dim($$, $1,
$3 TSRMLS_CC); }
-| T_CONSTANT_ENCAPSED_STRING '[' dim_offset ']' {
zend_do_begin_variable_parse(TSRMLS_C); fetch_array_dim($$, $1, $3
TSRMLS_CC); }
+| T_CONSTANT_ENCAPSED_STRING '[' dim_offset ']' { $1.EA = 0;
zend_do_begin_variable_parse(TSRMLS_C); fetch_array_dim($$, $1, $3
TSRMLS_CC); }
combined_scalar:
T_ARRAY '(' array_pair_list ')' { $$ = $3; }
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Fixed invalid read in CONST_STRING dereference, reported by Nikic: Zend/zend_language_parser.y
test case?
merge to other branches?
Quoting Xinchen Hui larue...@php.net:
Commit:ba568aaebb3f3c788a5551c016c0afafd7a5502e
Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012
00:29:39 +0800
Parents: 0fbc8561e687689f796d95584cea1fa959eee83b
Branches: master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=ba568aaebb3f3c788a5551c016c0afafd7a5502e
Log:
Fixed invalid read in CONST_STRING dereference, reported by Nikic
Changed paths:
M Zend/zend_language_parser.y
Diff:
diff --git a/Zend/zend_language_parser.y b/Zend/zend_language_parser.y
index e397fe1..c88e9a7 100644
--- a/Zend/zend_language_parser.y
+++ b/Zend/zend_language_parser.y
@@ -802,7 +802,7 @@ expr_without_variable:
combined_scalar_offset:
combined_scalar '[' dim_offset ']' {
zend_do_begin_variable_parse(TSRMLS_C); fetch_array_dim($$, $1,
$3 TSRMLS_CC); }
| combined_scalar_offset '[' dim_offset ']' { fetch_array_dim($$,
$1, $3 TSRMLS_CC); }
-| T_CONSTANT_ENCAPSED_STRING '[' dim_offset ']' {
zend_do_begin_variable_parse(TSRMLS_C); fetch_array_dim($$, $1,
$3 TSRMLS_CC); }
+| T_CONSTANT_ENCAPSED_STRING '[' dim_offset ']' { $1.EA = 0;
zend_do_begin_variable_parse(TSRMLS_C); fetch_array_dim($$, $1,
$3 TSRMLS_CC); }
combined_scalar:
T_ARRAY '(' array_pair_list ')' { $$ = $3; }
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Fixed invalid read in CONST_STRING dereference, reported by Nikic: Zend/zend_language_parser.y
On Wed, Jul 25, 2012 at 7:22 PM, Nuno Lopes nlop...@php.net wrote: test case? The test for this was already in the code base. It was just failing in some situations and was generating valgrind warnings when run with -m. merge to other branches? Constant dereferencing is only available on master, so it doesn't apply to other branches :) Nikita -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Fixed invalid read in CONST_STRING dereference, reported by Nikic: Zend/zend_language_parser.y
Quoting Nikita Popov nikita@gmail.com: On Wed, Jul 25, 2012 at 7:22 PM, Nuno Lopes nlop...@php.net wrote: test case? The test for this was already in the code base. It was just failing in some situations and was generating valgrind warnings when run with -m. merge to other branches? Constant dereferencing is only available on master, so it doesn't apply to other branches :) Ok! But, did we have a report about this on http://gcov.php.net ? Nuno -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Fixed invalid read in CONST_STRING dereference, reported by Nikic: Zend/zend_language_parser.y
On Wed, Jul 25, 2012 at 7:32 PM, Nuno Lopes nlop...@php.net wrote: Ok! But, did we have a report about this on http://gcov.php.net ? Yep, the valgrind report is also on gcov: http://gcov.php.net/viewer.php?version=PHP_HEADfunc=valgrindfile=Zend%2Ftests%2Fconst_dereference_002.phpt Nikita :) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Fixed invalid read in CONST_STRING dereference, reported by Nikic: Zend/zend_language_parser.y
Quoting Nikita Popov nikita@gmail.com: On Wed, Jul 25, 2012 at 7:32 PM, Nuno Lopes nlop...@php.net wrote: Ok! But, did we have a report about this on http://gcov.php.net ? Yep, the valgrind report is also on gcov: http://gcov.php.net/viewer.php?version=PHP_HEADfunc=valgrindfile=Zend%2Ftests%2Fconst_dereference_002.phpt Nikita :) cool! Next time please provide more information on the commit message so that I don't have to bug you :) Thanks, Nuno -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fixed bug #62661 (Interactive php-cli crashes if include() is used in auto_prepend_file): NEWS Zend/zend.c
Commit:b4b3a65f5518803c4a3bca34ac67e139b2547133
Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 12:40:47
+0800
Parents: 9fe8c58130ac82d2b52b35a290b71569abe50d18
Branches: PHP-5.4
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b4b3a65f5518803c4a3bca34ac67e139b2547133
Log:
Fixed bug #62661 (Interactive php-cli crashes if include() is used in
auto_prepend_file)
Bugs:
https://bugs.php.net/62661
Changed paths:
M NEWS
M Zend/zend.c
Diff:
diff --git a/NEWS b/NEWS
index 883d910..d429849 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP
NEWS
?? ??? 2012, PHP 5.4.6
- Core:
+ . Fixed bug #62661 (Interactive php-cli crashes if include() is used in
+auto_prepend_file). (Laruence)
. Fixed bug #62565 (Crashes due non-initialized internal properties_table).
(Felipe)
diff --git a/Zend/zend.c b/Zend/zend.c
index 37a1a27..18c4f11 100644
--- a/Zend/zend.c
+++ b/Zend/zend.c
@@ -1261,6 +1261,7 @@ ZEND_API int zend_execute_scripts(int type TSRMLS_DC,
zval **retval, int file_co
zend_file_handle *file_handle;
zend_op_array *orig_op_array = EG(active_op_array);
zval **orig_retval_ptr_ptr = EG(return_value_ptr_ptr);
+long orig_interactive = CG(interactive);
va_start(files, file_count);
for (i = 0; i file_count; i++) {
@@ -1268,6 +1269,15 @@ ZEND_API int zend_execute_scripts(int type TSRMLS_DC,
zval **retval, int file_co
if (!file_handle) {
continue;
}
+
+if (orig_interactive) {
+if (file_handle-filename[0] != '-' || file_handle-filename[1]) {
+CG(interactive) = 0;
+} else {
+CG(interactive) = 1;
+}
+}
+
EG(active_op_array) = zend_compile_file(file_handle, type
TSRMLS_CC);
if (file_handle-opened_path) {
int dummy = 1;
@@ -1309,12 +1319,14 @@ ZEND_API int zend_execute_scripts(int type TSRMLS_DC,
zval **retval, int file_co
va_end(files);
EG(active_op_array) = orig_op_array;
EG(return_value_ptr_ptr) = orig_retval_ptr_ptr;
+CG(interactive) = orig_interactive;
return FAILURE;
}
}
va_end(files);
EG(active_op_array) = orig_op_array;
EG(return_value_ptr_ptr) = orig_retval_ptr_ptr;
+CG(interactive) = orig_interactive;
return SUCCESS;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Fixed bug #62661 (Interactive php-cli crashes if include() is used in auto_prepend_file): NEWS Zend/zend.c
Hi:
this bug is similar to #49000, and the fix is a little ugly, in this
case, setting CG(interactive) in sapi/cli/php_cli.c becomes
unnecessary.
thanks
On Thu, Jul 26, 2012 at 12:40 PM, Xinchen Hui larue...@php.net wrote:
Commit:b4b3a65f5518803c4a3bca34ac67e139b2547133
Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 12:40:47
+0800
Parents: 9fe8c58130ac82d2b52b35a290b71569abe50d18
Branches: PHP-5.4
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b4b3a65f5518803c4a3bca34ac67e139b2547133
Log:
Fixed bug #62661 (Interactive php-cli crashes if include() is used in
auto_prepend_file)
Bugs:
https://bugs.php.net/62661
Changed paths:
M NEWS
M Zend/zend.c
Diff:
diff --git a/NEWS b/NEWS
index 883d910..d429849 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP
NEWS
?? ??? 2012, PHP 5.4.6
- Core:
+ . Fixed bug #62661 (Interactive php-cli crashes if include() is used in
+auto_prepend_file). (Laruence)
. Fixed bug #62565 (Crashes due non-initialized internal properties_table).
(Felipe)
diff --git a/Zend/zend.c b/Zend/zend.c
index 37a1a27..18c4f11 100644
--- a/Zend/zend.c
+++ b/Zend/zend.c
@@ -1261,6 +1261,7 @@ ZEND_API int zend_execute_scripts(int type TSRMLS_DC,
zval **retval, int file_co
zend_file_handle *file_handle;
zend_op_array *orig_op_array = EG(active_op_array);
zval **orig_retval_ptr_ptr = EG(return_value_ptr_ptr);
+long orig_interactive = CG(interactive);
va_start(files, file_count);
for (i = 0; i file_count; i++) {
@@ -1268,6 +1269,15 @@ ZEND_API int zend_execute_scripts(int type TSRMLS_DC,
zval **retval, int file_co
if (!file_handle) {
continue;
}
+
+if (orig_interactive) {
+if (file_handle-filename[0] != '-' || file_handle-filename[1])
{
+CG(interactive) = 0;
+} else {
+CG(interactive) = 1;
+}
+}
+
EG(active_op_array) = zend_compile_file(file_handle, type
TSRMLS_CC);
if (file_handle-opened_path) {
int dummy = 1;
@@ -1309,12 +1319,14 @@ ZEND_API int zend_execute_scripts(int type TSRMLS_DC,
zval **retval, int file_co
va_end(files);
EG(active_op_array) = orig_op_array;
EG(return_value_ptr_ptr) = orig_retval_ptr_ptr;
+CG(interactive) = orig_interactive;
return FAILURE;
}
}
va_end(files);
EG(active_op_array) = orig_op_array;
EG(return_value_ptr_ptr) = orig_retval_ptr_ptr;
+CG(interactive) = orig_interactive;
return SUCCESS;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Laruence Xinchen Hui
http://www.laruence.com/
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h
Commit:eae06100429f37e5297c432e99104daeeed13bad
Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 13:52:42
+0800
Parents: ba27e0888a3bb91eba3266c71003df045c4d2091
Branches: PHP-5.4
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=eae06100429f37e5297c432e99104daeeed13bad
Log:
Fixed bug #62653: (unset($array[$float]) causes a crash)
the reason why jpauli and I can not reproduce is (it's silly):
I typo USE_ZEND_ALLOC ** valgrind at the first time, then I always ctrl+r
and jpauli copied my command from the pastbin :)
thanks
Bugs:
https://bugs.php.net/62653
Changed paths:
M NEWS
A Zend/tests/bug62653.phpt
M Zend/zend_vm_def.h
M Zend/zend_vm_execute.h
Diff:
diff --git a/NEWS b/NEWS
index d429849..407b052 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP
NEWS
- Core:
. Fixed bug #62661 (Interactive php-cli crashes if include() is used in
auto_prepend_file). (Laruence)
+ . Fixed bug #62653: (unset($array[$float]) causes a crash). (Nikita Popov,
+Laruence)
. Fixed bug #62565 (Crashes due non-initialized internal properties_table).
(Felipe)
diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt
new file mode 100644
index 000..cf5941c
--- /dev/null
+++ b/Zend/tests/bug62653.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #62653: unset($array[$float]) causes a crash
+--FILE--
+?php
+$array = array(5=bar);
+$foo = 10.; // gettype($foo) = string
+$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double
+unset($array[$foo]);
+print_r($array);
+
+$array = array(5=bar);
+$foo = 5;
+unset($array[(float)$foo]);
+print_r($array);
+
+$array = array(5=bar);
+$foo = 5;
+$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double
+$name = foo;
+unset($array[$$name]);
+print_r($array);
+
+?
+--EXPECT--
+Array
+(
+)
+Array
+(
+)
+Array
+(
+)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 5a3ae49..f5567ea 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3947,7 +3947,8 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV,
CONST|TMP|VAR|CV)
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval =
zend_dval_to_lval(Z_DVAL_P(offset));
- ZEND_VM_C_GOTO(num_index_dim);
+ zend_hash_index_del(ht, hval);
+ break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 1fb6e76..78f3d84 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -13917,7 +13917,8 @@ static int ZEND_FASTCALL
ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HAND
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval =
zend_dval_to_lval(Z_DVAL_P(offset));
- goto num_index_dim;
+ zend_hash_index_del(ht, hval);
+ break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
@@ -15919,7 +15920,8 @@ static int ZEND_FASTCALL
ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLE
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval =
zend_dval_to_lval(Z_DVAL_P(offset));
- goto num_index_dim;
+ zend_hash_index_del(ht, hval);
+ break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
@@ -18131,7 +18133,8 @@ static int ZEND_FASTCALL
ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLE
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval =
zend_dval_to_lval(Z_DVAL_P(offset));
- goto num_index_dim;
+ zend_hash_index_del(ht, hval);
+ break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
@@ -21166,7 +21169,8 @@ static int ZEND_FASTCALL
[PHP-CVS] com php-src: Fix test, committed in wrong folder: Zend/tests/bug62653.phpt
Commit:302ad0d648376e072358a269432d3598302b62c0 Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 13:57:04 +0800 Parents: eae06100429f37e5297c432e99104daeeed13bad Branches: PHP-5.4 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=302ad0d648376e072358a269432d3598302b62c0 Log: Fix test, committed in wrong folder Changed paths: M Zend/tests/bug62653.phpt Diff: diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt index cf5941c..96299f1 100644 --- a/Zend/tests/bug62653.phpt +++ b/Zend/tests/bug62653.phpt @@ -14,7 +14,7 @@ unset($array[(float)$foo]); print_r($array); $array = array(5=bar); -$foo = 5; +$foo = 10.; $foo /= 2; //Makes $foo = 5 but still gettype($foo) = double $name = foo; unset($array[$$name]); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'PHP-5.4': Zend/zend_vm_def.h Zend/zend_vm_execute.h
Commit:80497ea7dfade2ccd032ef65103c0a113338653a Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 13:58:01 +0800 Parents: 07c61c2fdb5c6016508cfac7deb783b9dbef2ad5 302ad0d648376e072358a269432d3598302b62c0 Branches: master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=80497ea7dfade2ccd032ef65103c0a113338653a Log: Merge branch 'PHP-5.4' Changed paths: MM Zend/zend_vm_def.h MM Zend/zend_vm_execute.h Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
