Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API change (e.g. sending zval** instead of zval*). So it could be fixed properly only in trunk. Thanks. Dmitry. On 02/25/2012 08:41 AM, Laruence wrote: Dmitry: you might want to review this fix. let me explain why crash before this fix. when doing parse_parameter, then convert the object to string by calling the ce-cast_object, and passed the same pointer(although there was a separation), to the cast_object.. then if __toString method stash $this somewhere, after the parameters clean up, the $this pointer will be impending.. then in the next loop, the return_value will happen used the same adress,, then balalala, cause the segfault.. sorry for my poor english, and hope I have made myself clearly, if there is any question , plz write me. thanks On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Huilarue...@php.net wrote: laruence Sat, 25 Feb 2012 04:36:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323489 Log: Fixed bug #61165 (Segfault - strip_tags()) Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/trunk/NEWS U php/php-src/trunk/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -3,6 +3,7 @@ ?? ??? 2012, PHP 5.3.11 - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #61095 (Incorect lexing of 0x00*+NUM). (Etienne) . Fixed bug #61072 (Memory leak when restoring an exception handler). Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_API.c2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c2012-02-25 04:36:08 UTC (rev 323489) @@ -254,10 +254,15 @@ static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) ==std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -6,6 +6,7 @@ . World domination - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence) . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical Modified: php/php-src/trunk/Zend/zend_API.c === --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -262,12 +262,17 @@ static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; *pl = Z_STRLEN_PP(arg); *p = Z_STRVAL_PP(arg); return SUCCESS; } + zval_ptr_dtor(obj); }
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) thanks change (e.g. sending zval** instead of zval*). So it could be fixed properly only in trunk. Thanks. Dmitry. On 02/25/2012 08:41 AM, Laruence wrote: Dmitry: you might want to review this fix. let me explain why crash before this fix. when doing parse_parameter, then convert the object to string by calling the ce-cast_object, and passed the same pointer(although there was a separation), to the cast_object.. then if __toString method stash $this somewhere, after the parameters clean up, the $this pointer will be impending.. then in the next loop, the return_value will happen used the same adress,, then balalala, cause the segfault.. sorry for my poor english, and hope I have made myself clearly, if there is any question , plz write me. thanks On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Huilarue...@php.net wrote: laruence Sat, 25 Feb 2012 04:36:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323489 Log: Fixed bug #61165 (Segfault - strip_tags()) Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/trunk/NEWS U php/php-src/trunk/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -3,6 +3,7 @@ ?? ??? 2012, PHP 5.3.11 - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #61095 (Incorect lexing of 0x00*+NUM). (Etienne) . Fixed bug #61072 (Memory leak when restoring an exception handler). Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -254,10 +254,15 @@ static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) ==std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -6,6 +6,7 @@ . World domination - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence) . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical Modified: php/php-src/trunk/Zend/zend_API.c === --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -262,12 +262,17 @@ static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg,
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On Mon, Feb 27, 2012 at 4:31 PM, Laruence larue...@php.net wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) what I mean temporary is, apply this fix to 5.3 and 5.4 then do the right fix which you said to 5.4.1 :) thanks thanks change (e.g. sending zval** instead of zval*). So it could be fixed properly only in trunk. Thanks. Dmitry. On 02/25/2012 08:41 AM, Laruence wrote: Dmitry: you might want to review this fix. let me explain why crash before this fix. when doing parse_parameter, then convert the object to string by calling the ce-cast_object, and passed the same pointer(although there was a separation), to the cast_object.. then if __toString method stash $this somewhere, after the parameters clean up, the $this pointer will be impending.. then in the next loop, the return_value will happen used the same adress,, then balalala, cause the segfault.. sorry for my poor english, and hope I have made myself clearly, if there is any question , plz write me. thanks On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Huilarue...@php.net wrote: laruence Sat, 25 Feb 2012 04:36:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323489 Log: Fixed bug #61165 (Segfault - strip_tags()) Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/trunk/NEWS U php/php-src/trunk/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -3,6 +3,7 @@ ?? ??? 2012, PHP 5.3.11 - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #61095 (Incorect lexing of 0x00*+NUM). (Etienne) . Fixed bug #61072 (Memory leak when restoring an exception handler). Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -254,10 +254,15 @@ static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) ==std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -6,6 +6,7 @@ . World domination - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence) . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical Modified: php/php-src/trunk/Zend/zend_API.c === --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -262,12 +262,17 @@ static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On 02/27/2012 12:37 PM, Laruence wrote: On Mon, Feb 27, 2012 at 4:31 PM, Laruencelarue...@php.net wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogovdmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) what I mean temporary is, apply this fix to 5.3 and 5.4 then do the right fix which you said to 5.4.1 :) we won't be able to change API in 5.4.1, so it's for 5.5. Thanks. Dmitry. thanks thanks change (e.g. sending zval** instead of zval*). So it could be fixed properly only in trunk. Thanks. Dmitry. On 02/25/2012 08:41 AM, Laruence wrote: Dmitry: you might want to review this fix. let me explain why crash before this fix. when doing parse_parameter, then convert the object to string by calling the ce-cast_object, and passed the same pointer(although there was a separation), to the cast_object.. then if __toString method stash $this somewhere, after the parameters clean up, the $this pointer will be impending.. then in the next loop, the return_value will happen used the same adress,, then balalala, cause the segfault.. sorry for my poor english, and hope I have made myself clearly, if there is any question , plz write me. thanks On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Huilarue...@php.netwrote: laruence Sat, 25 Feb 2012 04:36:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323489 Log: Fixed bug #61165 (Segfault - strip_tags()) Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/trunk/NEWS U php/php-src/trunk/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -3,6 +3,7 @@ ?? ??? 2012, PHP 5.3.11 - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #61095 (Incorect lexing of 0x00*+NUM). (Etienne) . Fixed bug #61072 (Memory leak when restoring an exception handler). Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_API.c2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c2012-02-25 04:36:08 UTC (rev 323489) @@ -254,10 +254,15 @@ static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) ==std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -6,6 +6,7 @@ . World domination - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence) . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical Modified: php/php-src/trunk/Zend/zend_API.c === --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -262,12 +262,17 @@ static int
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On Mon, 27 Feb 2012, Laruence wrote: On Mon, Feb 27, 2012 at 4:31 PM, Laruence larue...@php.net wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) what I mean temporary is, apply this fix to 5.3 and 5.4 then do the right fix which you said to 5.4.1 :) You can't break extension APIs between 5.4.0 and 5.4.1 either, API changes can only into trunk. cheers, Derick -- http://derickrethans.nl | http://xdebug.org Like Xdebug? Consider a donation: http://xdebug.org/donate.php twitter: @derickr and @xdebug -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On Mon, Feb 27, 2012 at 11:17 AM, Derick Rethans der...@php.net wrote: You can't break extension APIs between 5.4.0 and 5.4.1 either, API changes can only into trunk. And ABI neither. -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] Re: [PHP-DEV] Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On Mon, February 27, 2012 2:31 am, Laruence wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) Perhaps a better solution would be to make a NEW function that uses zval** and deprecate the old one with memory leaks. Old extensions remain functional, new extension consume less memory. (This presumes I actually understand the issue, which is questionable.) -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=FS9NLTNEEKWBE -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] Re: [PHP-DEV] Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
Out of curiosity, why are you changing it to copy the object for the result of the cast operation? cast_object should init the result zval, so why go through the step of copying the starting object to it? Wouldn't it be easier just to do: if (Z_OBJ_HANDLER_PP(arg, cast_object)) { zval *result; ALLOC_ZVAL(result); if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, result, type TSRMLS_CC) == SUCCESS) { zval_ptr_dtor(arg); *pl = Z_STRLEN_PP(result); *p = Z_STRVAL_PP(result); zval_ptr_dtor(result); return SUCCESS; } zval_ptr_dtor(result); } Keeping both completely separate, and not having the possibility of corrupting the arg object pointer? As it is right now (with the patch in the first mail), wouldn't the possibility still exist of nuking the arg object pointer which could be used elsewhere (and hence cause the memory leak and segfault when that variable is referenced again)? (Un tested as of yet, just throwing it out there as it seems kind of weird to overwrite the arg pointer for what seems like no reason)... Anthony On Mon, Feb 27, 2012 at 10:22 AM, Richard Lynch c...@l-i-e.com wrote: On Mon, February 27, 2012 2:31 am, Laruence wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) Perhaps a better solution would be to make a NEW function that uses zval** and deprecate the old one with memory leaks. Old extensions remain functional, new extension consume less memory. (This presumes I actually understand the issue, which is questionable.) -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] Re: [PHP-DEV] Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
Sent from my iPad 在 2012-2-28,0:10,Anthony Ferrara ircmax...@gmail.com 写道: Out of curiosity, why are you changing it to copy the object for the result of the cast operation? cast_object should init the result zval, so why go through the step of copying the starting object to plz look at the final fix: r323563 thanks r323563 Wouldn't it be easier just to do: if (Z_OBJ_HANDLER_PP(arg, cast_object)) { zval *result; ALLOC_ZVAL(result); if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, result, type TSRMLS_CC) == SUCCESS) { zval_ptr_dtor(arg); *pl = Z_STRLEN_PP(result); *p = Z_STRVAL_PP(result); zval_ptr_dtor(result); return SUCCESS; } zval_ptr_dtor(result); } Keeping both completely separate, and not having the possibility of corrupting the arg object pointer? As it is right now (with the patch in the first mail), wouldn't the possibility still exist of nuking the arg object pointer which could be used elsewhere (and hence cause the memory leak and segfault when that variable is referenced again)? (Un tested as of yet, just throwing it out there as it seems kind of weird to overwrite the arg pointer for what seems like no reason)... Anthony On Mon, Feb 27, 2012 at 10:22 AM, Richard Lynch c...@l-i-e.com wrote: On Mon, February 27, 2012 2:31 am, Laruence wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) Perhaps a better solution would be to make a NEW function that uses zval** and deprecate the old one with memory leaks. Old extensions remain functional, new extension consume less memory. (This presumes I actually understand the issue, which is questionable.) -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] Re: [PHP-DEV] Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
I initially looked at the final fix when I discovered the issue. Follow me out on this. This is the current code as-implemented in r323563: 265 zval *obj; 266 MAKE_STD_ZVAL(obj); 267 if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) { 268 zval_ptr_dtor(arg); 269 *arg = obj; 270 *pl = Z_STRLEN_PP(arg); 271 *p = Z_STRVAL_PP(arg); 272 return SUCCESS; 273 } 274 efree(obj); The issue that I originally identified (overwriting the argument pointer) is still happening. Is there any reason for overwriting the arg pointer? Wouldn't it be better to just do the Z_STRLEN_PP and Z_STRVAL_PP operations on obj instead, and zval_ptr_dtor it as well (instead of efree, as that way if a reference is stored somewhere it won't result in a double free, or a segfault for accessing freed memory)? Thanks, Anthony On Mon, Feb 27, 2012 at 11:39 AM, Xinchen Hui larue...@gmail.com wrote: Sent from my iPad 在 2012-2-28,0:10,Anthony Ferrara ircmax...@gmail.com 写道: Out of curiosity, why are you changing it to copy the object for the result of the cast operation? cast_object should init the result zval, so why go through the step of copying the starting object to plz look at the final fix: r323563 thanks r323563 Wouldn't it be easier just to do: if (Z_OBJ_HANDLER_PP(arg, cast_object)) { zval *result; ALLOC_ZVAL(result); if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, result, type TSRMLS_CC) == SUCCESS) { zval_ptr_dtor(arg); *pl = Z_STRLEN_PP(result); *p = Z_STRVAL_PP(result); zval_ptr_dtor(result); return SUCCESS; } zval_ptr_dtor(result); } Keeping both completely separate, and not having the possibility of corrupting the arg object pointer? As it is right now (with the patch in the first mail), wouldn't the possibility still exist of nuking the arg object pointer which could be used elsewhere (and hence cause the memory leak and segfault when that variable is referenced again)? (Un tested as of yet, just throwing it out there as it seems kind of weird to overwrite the arg pointer for what seems like no reason)... Anthony On Mon, Feb 27, 2012 at 10:22 AM, Richard Lynch c...@l-i-e.com wrote: On Mon, February 27, 2012 2:31 am, Laruence wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) Perhaps a better solution would be to make a NEW function that uses zval** and deprecate the old one with memory leaks. Old extensions remain functional, new extension consume less memory. (This presumes I actually understand the issue, which is questionable.) -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] Re: [PHP-DEV] Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On Tue, Feb 28, 2012 at 1:10 AM, Anthony Ferrara ircmax...@gmail.com wrote: I initially looked at the final fix when I discovered the issue. Follow me out on this. This is the current code as-implemented in r323563: 265 zval *obj; 266 MAKE_STD_ZVAL(obj); 267 if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) { 268 zval_ptr_dtor(arg); 269 *arg = obj; 270 *pl = Z_STRLEN_PP(arg); 271 *p = Z_STRVAL_PP(arg); 272 return SUCCESS; 273 } 274 efree(obj); The issue that I originally identified (overwriting the argument pointer) is still happening. Is there any reason for overwriting the arg pointer? Wouldn't it be better to just do the Z_STRLEN_PP and Z_STRVAL_PP operations on obj instead, and zval_ptr_dtor it as well Oops, you are right.. thanks for pointing this out. :) (instead of efree, as that way if a reference is stored somewhere it won't result in a double free, or a segfault for accessing freed memory)? Thanks, Anthony On Mon, Feb 27, 2012 at 11:39 AM, Xinchen Hui larue...@gmail.com wrote: Sent from my iPad 在 2012-2-28,0:10,Anthony Ferrara ircmax...@gmail.com 写道: Out of curiosity, why are you changing it to copy the object for the result of the cast operation? cast_object should init the result zval, so why go through the step of copying the starting object to plz look at the final fix: r323563 thanks r323563 Wouldn't it be easier just to do: if (Z_OBJ_HANDLER_PP(arg, cast_object)) { zval *result; ALLOC_ZVAL(result); if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, result, type TSRMLS_CC) == SUCCESS) { zval_ptr_dtor(arg); *pl = Z_STRLEN_PP(result); *p = Z_STRVAL_PP(result); zval_ptr_dtor(result); return SUCCESS; } zval_ptr_dtor(result); } Keeping both completely separate, and not having the possibility of corrupting the arg object pointer? As it is right now (with the patch in the first mail), wouldn't the possibility still exist of nuking the arg object pointer which could be used elsewhere (and hence cause the memory leak and segfault when that variable is referenced again)? (Un tested as of yet, just throwing it out there as it seems kind of weird to overwrite the arg pointer for what seems like no reason)... Anthony On Mon, Feb 27, 2012 at 10:22 AM, Richard Lynch c...@l-i-e.com wrote: On Mon, February 27, 2012 2:31 am, Laruence wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) Perhaps a better solution would be to make a NEW function that uses zval** and deprecate the old one with memory leaks. Old extensions remain functional, new extension consume less memory. (This presumes I actually understand the issue, which is questionable.) -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- 惠新宸 laruence Senior PHP Engineer http://www.laruence.com -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] Re: [PHP-DEV] Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
On Tue, Feb 28, 2012 at 10:38 AM, Xinchen Hui larue...@gmail.com wrote: On Tue, Feb 28, 2012 at 1:10 AM, Anthony Ferrara ircmax...@gmail.com wrote: I initially looked at the final fix when I discovered the issue. Follow me out on this. This is the current code as-implemented in r323563: 265 zval *obj; 266 MAKE_STD_ZVAL(obj); 267 if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) { 268 zval_ptr_dtor(arg); 269 *arg = obj; 270 *pl = Z_STRLEN_PP(arg); 271 *p = Z_STRVAL_PP(arg); 272 return SUCCESS; 273 } 274 efree(obj); The issue that I originally identified (overwriting the argument pointer) is still happening. Is there any reason for overwriting the arg pointer? Wouldn't it be better to just do the Z_STRLEN_PP and Z_STRVAL_PP operations on obj instead, and zval_ptr_dtor it as well Oops, you are right.. thanks for pointing this out. :) Sorry, I miss-read your words. so I revoke my previous words. the reason for why overwriting arg, is we should record that new temp zval(IS_STRING), then release it while doing cleanup parameters. and also, fo 5.3, no p and pl paramters. thanks (instead of efree, as that way if a reference is stored somewhere it won't result in a double free, or a segfault for accessing freed memory)? Thanks, Anthony On Mon, Feb 27, 2012 at 11:39 AM, Xinchen Hui larue...@gmail.com wrote: Sent from my iPad 在 2012-2-28,0:10,Anthony Ferrara ircmax...@gmail.com 写道: Out of curiosity, why are you changing it to copy the object for the result of the cast operation? cast_object should init the result zval, so why go through the step of copying the starting object to plz look at the final fix: r323563 thanks r323563 Wouldn't it be easier just to do: if (Z_OBJ_HANDLER_PP(arg, cast_object)) { zval *result; ALLOC_ZVAL(result); if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, result, type TSRMLS_CC) == SUCCESS) { zval_ptr_dtor(arg); *pl = Z_STRLEN_PP(result); *p = Z_STRVAL_PP(result); zval_ptr_dtor(result); return SUCCESS; } zval_ptr_dtor(result); } Keeping both completely separate, and not having the possibility of corrupting the arg object pointer? As it is right now (with the patch in the first mail), wouldn't the possibility still exist of nuking the arg object pointer which could be used elsewhere (and hence cause the memory leak and segfault when that variable is referenced again)? (Un tested as of yet, just throwing it out there as it seems kind of weird to overwrite the arg pointer for what seems like no reason)... Anthony On Mon, Feb 27, 2012 at 10:22 AM, Richard Lynch c...@l-i-e.com wrote: On Mon, February 27, 2012 2:31 am, Laruence wrote: On Mon, Feb 27, 2012 at 4:00 PM, Dmitry Stogov dmi...@zend.com wrote: Hi Laruence, The attached patch looks wired. The patch on top of it (r323563) makes it better. However, in my opinion it fixes a common problem just in a single place. Each call to __toString() that makes side effects may cause the similar problem. It would be great to make a right fix in zend_std_cast_object_tostring() itself, but probably it would require API Hi: before this fix, I thought about the same idea of that. but, you know, such change will need all exts who implmented their own cast_object handler change there codes too. for now, I exam the usage of std_cast_object_tostring, most of them do the similar things like this fix to avoid this issues(like ZEND_CAST handler). so I think, maybe it's okey for a temporary fix :) Perhaps a better solution would be to make a NEW function that uses zval** and deprecate the old one with memory leaks. Old extensions remain functional, new extension consume less memory. (This presumes I actually understand the issue, which is questionable.) -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- 惠新宸 laruence Senior PHP Engineer http://www.laruence.com -- 惠新宸 laruence Senior PHP Engineer http://www.laruence.com -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
laruence Sat, 25 Feb 2012 04:36:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323489 Log: Fixed bug #61165 (Segfault - strip_tags()) Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/trunk/NEWS U php/php-src/trunk/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -3,6 +3,7 @@ ?? ??? 2012, PHP 5.3.11 - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #61095 (Incorect lexing of 0x00*+NUM). (Etienne) . Fixed bug #61072 (Memory leak when restoring an exception handler). Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_API.c2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c2012-02-25 04:36:08 UTC (rev 323489) @@ -254,10 +254,15 @@ static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) == std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -6,6 +6,7 @@ . World domination - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence) . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical Modified: php/php-src/trunk/Zend/zend_API.c === --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -262,12 +262,17 @@ static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; *pl = Z_STRLEN_PP(arg); *p = Z_STRVAL_PP(arg); return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) == std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/NEWS trunk/Zend/zend_API.c
Dmitry: you might want to review this fix. let me explain why crash before this fix. when doing parse_parameter, then convert the object to string by calling the ce-cast_object, and passed the same pointer(although there was a separation), to the cast_object.. then if __toString method stash $this somewhere, after the parameters clean up, the $this pointer will be impending.. then in the next loop, the return_value will happen used the same adress,, then balalala, cause the segfault.. sorry for my poor english, and hope I have made myself clearly, if there is any question , plz write me. thanks On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Hui larue...@php.net wrote: laruence Sat, 25 Feb 2012 04:36:08 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323489 Log: Fixed bug #61165 (Segfault - strip_tags()) Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/trunk/NEWS U php/php-src/trunk/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -3,6 +3,7 @@ ?? ??? 2012, PHP 5.3.11 - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #61095 (Incorect lexing of 0x00*+NUM). (Etienne) . Fixed bug #61072 (Memory leak when restoring an exception handler). Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -254,10 +254,15 @@ static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) == std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) @@ -6,6 +6,7 @@ . World domination - Core: + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) . Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence) . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical Modified: php/php-src/trunk/Zend/zend_API.c === --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) @@ -262,12 +262,17 @@ static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { - SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) { + zval *obj; + ALLOC_ZVAL(obj); + MAKE_COPY_ZVAL(arg, obj); + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) { + zval_ptr_dtor(arg); + *arg = obj; *pl = Z_STRLEN_PP(arg); *p = Z_STRVAL_PP(arg); return SUCCESS; } + zval_ptr_dtor(obj); } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) == std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php