[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/tests/bug61273.phpt branches/PHP_5_3/Zend/zend_execute_API.c branches/PHP_5_4/NEWS branches/PHP_5_4/Zend/tests/bug61273.phpt branches/PHP_5_4/Zend/zend_execute_API.c trunk/Zend/tests/bug61273.phpt trunk/Zend/zend_execute_API.c

Sun, 11 Mar 2012 08:28:48 -0700 

laruence                                 Sun, 11 Mar 2012 15:28:31 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=324108

Log:
Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / 
crashes)

Bug: https://bugs.php.net/61273 (Assigned) call_user_func_array with more than 
16333 arguments leaks / crashes
      
Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    A   php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt
    U   php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c
    U   php/php-src/branches/PHP_5_4/NEWS
    A   php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt
    U   php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c
    A   php/php-src/trunk/Zend/tests/bug61273.phpt
    U   php/php-src/trunk/Zend/zend_execute_API.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2012-03-11 15:12:28 UTC (rev 324107)
+++ php/php-src/branches/PHP_5_3/NEWS   2012-03-11 15:28:31 UTC (rev 324108)
@@ -3,6 +3,8 @@
 ?? ??? 2012, PHP 5.3.11

 - Core:
+  . Fixed bug #61273 (call_user_func_array with more than 16333 arguments
+    leaks / crashes). (Laruence)
   . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
   . Improved max_input_vars directive to check nested variables (Dmitry).
   . Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne)

Added: php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt                       
        (rev 0)
+++ php/php-src/branches/PHP_5_3/Zend/tests/bug61273.phpt       2012-03-11 
15:28:31 UTC (rev 324108)
@@ -0,0 +1,15 @@
+--TEST--
+Bug #61273 (call_user_func_array with more than 16333 arguments leaks / 
crashes)
+--FILE--
+<?php
+/**
+ * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64)
+ * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16)
+ * we should trick EG(argument_stack) into growing
+ */
+$args = array_fill(0, 64 * 1024 - 64, "*");
+call_user_func_array(function(&$a) {}, $args);
+echo strval("okey");
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in 
%sbug61273.php on line %d
+okey

Modified: php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c        2012-03-11 
15:12:28 UTC (rev 324107)
+++ php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c        2012-03-11 
15:28:31 UTC (rev 324108)
@@ -877,7 +877,7 @@

                                if (fci->no_separation &&
                                    
!ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
-                                       if(i) {
+                                       if (i || 
UNEXPECTED(UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == 
EG(argument_stack)->top))) {
                                                /* hack to clean up the stack */
                                                
zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
                                                
zend_vm_stack_clear_multiple(TSRMLS_C);

Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS   2012-03-11 15:12:28 UTC (rev 324107)
+++ php/php-src/branches/PHP_5_4/NEWS   2012-03-11 15:28:31 UTC (rev 324108)
@@ -8,6 +8,8 @@
   . "Connection: close" instead of "Connection: closed" (Gustavo)

 - Core:
+  . Fixed bug #61273 (call_user_func_array with more than 16333 arguments
+    leaks / crashes). (Laruence)
   . Fixed bug #61225 (Incorect lexing of 0b00*+<NUM>). (Pierrick)
   . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
   . Fixed bug #61106 (Segfault when using header_register_callback). (Nikita

Added: php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt
===================================================================
--- php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt                       
        (rev 0)
+++ php/php-src/branches/PHP_5_4/Zend/tests/bug61273.phpt       2012-03-11 
15:28:31 UTC (rev 324108)
@@ -0,0 +1,15 @@
+--TEST--
+Bug #61273 (call_user_func_array with more than 16333 arguments leaks / 
crashes)
+--FILE--
+<?php
+/**
+ * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64)
+ * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16)
+ * we should trick EG(argument_stack) into growing
+ */
+$args = array_fill(0, 64 * 1024 - 64, "*");
+call_user_func_array(function(&$a) {}, $args);
+echo strval("okey");
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in 
%sbug61273.php on line %d
+okey

Modified: php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c
===================================================================
--- php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c        2012-03-11 
15:12:28 UTC (rev 324107)
+++ php/php-src/branches/PHP_5_4/Zend/zend_execute_API.c        2012-03-11 
15:28:31 UTC (rev 324108)
@@ -859,7 +859,7 @@

                                if (fci->no_separation &&
                                    
!ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
-                                       if(i) {
+                                       if (i || 
UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == 
(EG(argument_stack)->top))) {
                                                /* hack to clean up the stack */
                                                
zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
                                                
zend_vm_stack_clear_multiple(TSRMLS_C);

Added: php/php-src/trunk/Zend/tests/bug61273.phpt
===================================================================
--- php/php-src/trunk/Zend/tests/bug61273.phpt                          (rev 0)
+++ php/php-src/trunk/Zend/tests/bug61273.phpt  2012-03-11 15:28:31 UTC (rev 
324108)
@@ -0,0 +1,15 @@
+--TEST--
+Bug #61273 (call_user_func_array with more than 16333 arguments leaks / 
crashes)
+--FILE--
+<?php
+/**
+ * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64)
+ * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16)
+ * we should trick EG(argument_stack) into growing
+ */
+$args = array_fill(0, 64 * 1024 - 64, "*");
+call_user_func_array(function(&$a) {}, $args);
+echo strval("okey");
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in 
%sbug61273.php on line %d
+okey

Modified: php/php-src/trunk/Zend/zend_execute_API.c
===================================================================
--- php/php-src/trunk/Zend/zend_execute_API.c   2012-03-11 15:12:28 UTC (rev 
324107)
+++ php/php-src/trunk/Zend/zend_execute_API.c   2012-03-11 15:28:31 UTC (rev 
324108)
@@ -859,7 +859,7 @@

                                if (fci->no_separation &&
                                    
!ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
-                                       if(i) {
+                                       if (i || 
UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == 
(EG(argument_stack)->top))) {
                                                /* hack to clean up the stack */
                                                
zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
                                                
zend_vm_stack_clear_multiple(TSRMLS_C);


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to