laruence Sun, 11 Mar 2012 15:28:31 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=324108
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes) Bug: https://bugs.php.net/61273 (Assigned) call_user_func_array with more than 16333 arguments leaks / crashes Changed paths: U php/php-src/branches/PHP_5_3/NEWS A php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt U php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c U php/php-src/branches/PHP_5_4/NEWS A php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt U php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c A php/php-src/trunk/Zend/tests/bug61273.phpt U php/php-src/trunk/Zend/zend_execute_API.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2012-03-11 15:12:28 UTC (rev 324107) +++ php/php-src/branches/PHP_5_3/NEWS 2012-03-11 15:28:31 UTC (rev 324108) @@ -3,6 +3,8 @@ ?? ??? 2012, PHP 5.3.11 - Core: + . Fixed bug #61273 (call_user_func_array with more than 16333 arguments + leaks / crashes). (Laruence) . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne) Added: php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt =================================================================== --- php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt 2012-03-11 15:28:31 UTC (rev 324108) @@ -0,0 +1,15 @@ +--TEST-- +Bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes) +--FILE-- +<?php +/** + * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64) + * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16) + * we should trick EG(argument_stack) into growing + */ +$args = array_fill(0, 64 * 1024 - 64, "*"); +call_user_func_array(function(&$a) {}, $args); +echo strval("okey"); +--EXPECTF-- +Warning: Parameter 1 to {closure}() expected to be a reference, value given in %sbug61273.php on line %d +okey Modified: php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c 2012-03-11 15:12:28 UTC (rev 324107) +++ php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c 2012-03-11 15:28:31 UTC (rev 324108) @@ -877,7 +877,7 @@ if (fci->no_separation && !ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) { - if(i) { + if (i || UNEXPECTED(UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == EG(argument_stack)->top))) { /* hack to clean up the stack */ zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC); zend_vm_stack_clear_multiple(TSRMLS_C); Modified: php/php-src/branches/PHP_5_4/NEWS =================================================================== --- php/php-src/branches/PHP_5_4/NEWS 2012-03-11 15:12:28 UTC (rev 324107) +++ php/php-src/branches/PHP_5_4/NEWS 2012-03-11 15:28:31 UTC (rev 324108) @@ -8,6 +8,8 @@ . "Connection: close" instead of "Connection: closed" (Gustavo) - Core: + . Fixed bug #61273 (call_user_func_array with more than 16333 arguments + leaks / crashes). (Laruence) . Fixed bug #61225 (Incorect lexing of 0b00*+<NUM>). (Pierrick) . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61106 (Segfault when using header_register_callback). (Nikita Added: php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt =================================================================== --- php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt 2012-03-11 15:28:31 UTC (rev 324108) @@ -0,0 +1,15 @@ +--TEST-- +Bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes) +--FILE-- +<?php +/** + * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64) + * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16) + * we should trick EG(argument_stack) into growing + */ +$args = array_fill(0, 64 * 1024 - 64, "*"); +call_user_func_array(function(&$a) {}, $args); +echo strval("okey"); +--EXPECTF-- +Warning: Parameter 1 to {closure}() expected to be a reference, value given in %sbug61273.php on line %d +okey Modified: php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c =================================================================== --- php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c 2012-03-11 15:12:28 UTC (rev 324107) +++ php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c 2012-03-11 15:28:31 UTC (rev 324108) @@ -859,7 +859,7 @@ if (fci->no_separation && !ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) { - if(i) { + if (i || UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == (EG(argument_stack)->top))) { /* hack to clean up the stack */ zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC); zend_vm_stack_clear_multiple(TSRMLS_C); Added: php/php-src/trunk/Zend/tests/bug61273.phpt =================================================================== --- php/php-src/trunk/Zend/tests/bug61273.phpt (rev 0) +++ php/php-src/trunk/Zend/tests/bug61273.phpt 2012-03-11 15:28:31 UTC (rev 324108) @@ -0,0 +1,15 @@ +--TEST-- +Bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes) +--FILE-- +<?php +/** + * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64) + * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16) + * we should trick EG(argument_stack) into growing + */ +$args = array_fill(0, 64 * 1024 - 64, "*"); +call_user_func_array(function(&$a) {}, $args); +echo strval("okey"); +--EXPECTF-- +Warning: Parameter 1 to {closure}() expected to be a reference, value given in %sbug61273.php on line %d +okey Modified: php/php-src/trunk/Zend/zend_execute_API.c =================================================================== --- php/php-src/trunk/Zend/zend_execute_API.c 2012-03-11 15:12:28 UTC (rev 324107) +++ php/php-src/trunk/Zend/zend_execute_API.c 2012-03-11 15:28:31 UTC (rev 324108) @@ -859,7 +859,7 @@ if (fci->no_separation && !ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) { - if(i) { + if (i || UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == (EG(argument_stack)->top))) { /* hack to clean up the stack */ zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC); zend_vm_stack_clear_multiple(TSRMLS_C);
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php