Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Disable the hash_apply() protection on hashes that persist across req…

…uests - it's unsafe

because we may be aborted at any point
  • Loading branch information...
commit 1263932a0dd7065497f97dc89d13df74d75ac382 1 parent 148317f
@zsuraski zsuraski authored
Showing with 37 additions and 15 deletions.
  1. +7 −7 Zend/zend.c
  2. +28 −8 Zend/zend_hash.c
  3. +2 −0  Zend/zend_hash.h
View
14 Zend/zend.c
@@ -233,8 +233,8 @@ static void register_standard_class(void)
zend_standard_class_def.name_length = sizeof("stdClass") - 1;
zend_standard_class_def.name = zend_strndup("stdClass", zend_standard_class_def.name_length);
zend_standard_class_def.parent = NULL;
- zend_hash_init(&zend_standard_class_def.default_properties, 0, NULL, ZVAL_PTR_DTOR, 1);
- zend_hash_init(&zend_standard_class_def.function_table, 0, NULL, ZEND_FUNCTION_DTOR, 1);
+ zend_hash_init_ex(&zend_standard_class_def.default_properties, 0, NULL, ZVAL_PTR_DTOR, 1, 0);
+ zend_hash_init_ex(&zend_standard_class_def.function_table, 0, NULL, ZEND_FUNCTION_DTOR, 1, 0);
zend_standard_class_def.handle_function_call = NULL;
zend_standard_class_def.handle_property_get = NULL;
zend_standard_class_def.handle_property_set = NULL;
@@ -261,11 +261,11 @@ static void compiler_globals_ctor(zend_compiler_globals *compiler_globals)
zend_class_entry tmp_class;
compiler_globals->function_table = (HashTable *) malloc(sizeof(HashTable));
- zend_hash_init(compiler_globals->function_table, 100, NULL, ZEND_FUNCTION_DTOR, 1);
+ zend_hash_init_ex(compiler_globals->function_table, 100, NULL, ZEND_FUNCTION_DTOR, 1, 0);
zend_hash_copy(compiler_globals->function_table, global_function_table, NULL, &tmp_func, sizeof(zend_function));
compiler_globals->class_table = (HashTable *) malloc(sizeof(HashTable));
- zend_hash_init(compiler_globals->class_table, 10, NULL, ZEND_CLASS_DTOR, 1);
+ zend_hash_init_ex(compiler_globals->class_table, 10, NULL, ZEND_CLASS_DTOR, 1, 0);
zend_hash_copy(compiler_globals->class_table, global_class_table, (copy_ctor_func_t) zend_class_add_ref, &tmp_class, sizeof(zend_class_entry));
zend_set_default_compile_time_values(CLS_C);
@@ -366,10 +366,10 @@ int zend_startup(zend_utility_functions *utility_functions, char **extensions, i
GLOBAL_FUNCTION_TABLE = (HashTable *) malloc(sizeof(HashTable));
GLOBAL_CLASS_TABLE = (HashTable *) malloc(sizeof(HashTable));
- zend_hash_init(GLOBAL_FUNCTION_TABLE, 100, NULL, ZEND_FUNCTION_DTOR, 1);
- zend_hash_init(GLOBAL_CLASS_TABLE, 10, NULL, ZEND_CLASS_DTOR, 1);
+ zend_hash_init_ex(GLOBAL_FUNCTION_TABLE, 100, NULL, ZEND_FUNCTION_DTOR, 1, 0);
+ zend_hash_init_ex(GLOBAL_CLASS_TABLE, 10, NULL, ZEND_CLASS_DTOR, 1, 0);
register_standard_class();
- zend_hash_init(&module_registry, 50, NULL, ZEND_MODULE_DTOR, 1);
+ zend_hash_init_ex(&module_registry, 50, NULL, ZEND_MODULE_DTOR, 1, 0);
zend_init_rsrc_list_dtors();
/* This zval can be used to initialize allocate zval's to an uninit'ed value */
View
36 Zend/zend_hash.c
@@ -108,14 +108,16 @@ static void _zend_is_inconsistent(HashTable *ht, char *file, int line)
#define SET_INCONSISTENT(n)
#endif
-#define HASH_APPLY_BEGIN(ht) \
- if ((ht)->nApplyCount>=3) { \
- zend_error(E_WARNING, "Nesting level too deep - recursive dependency?"); \
- return; \
- } \
- (ht)->nApplyCount++;
-
-#define HASH_APPLY_END(ht) \
+#define HASH_APPLY_BEGIN(ht) \
+ if ((ht)->bApplyProtection) { \
+ if ((ht)->nApplyCount>=3) { \
+ zend_error(E_WARNING, "Nesting level too deep - recursive dependency?"); \
+ return; \
+ } \
+ (ht)->nApplyCount++; \
+ }
+
+#define HASH_APPLY_END(ht) \
(ht)->nApplyCount--;
@@ -216,9 +218,27 @@ ZEND_API int zend_hash_init(HashTable *ht, uint nSize, hash_func_t pHashFunction
ht->pInternalPointer = NULL;
ht->persistent = persistent;
ht->nApplyCount = 0;
+ ht->bApplyProtection = 1;
return SUCCESS;
}
+
+ZEND_API int zend_hash_init_ex(HashTable *ht, uint nSize, hash_func_t pHashFunction, dtor_func_t pDestructor, int persistent, zend_bool bApplyProtection)
+{
+ int retval = zend_hash_init(ht, nSize, pHashFunction, pDestructor, persistent);
+
+ ht->bApplyProtection = bApplyProtection;
+ return retval;
+}
+
+
+ZEND_API void zend_hash_set_apply_protection(HashTable *ht, zend_bool bApplyProtection)
+{
+ ht->bApplyProtection = bApplyProtection;
+}
+
+
+
ZEND_API int zend_hash_add_or_update(HashTable *ht, char *arKey, uint nKeyLength, void *pData, uint nDataSize, void **pDest, int flag)
{
ulong h;
View
2  Zend/zend_hash.h
@@ -68,6 +68,7 @@ typedef struct _hashtable {
dtor_func_t pDestructor;
zend_bool persistent;
unsigned char nApplyCount;
+ zend_bool bApplyProtection;
#if ZEND_DEBUG
int inconsistent;
#endif
@@ -79,6 +80,7 @@ BEGIN_EXTERN_C()
/* startup/shutdown */
ZEND_API int zend_hash_init(HashTable *ht, uint nSize, hash_func_t pHashFunction, dtor_func_t pDestructor, int persistent);
+ZEND_API int zend_hash_init_ex(HashTable *ht, uint nSize, hash_func_t pHashFunction, dtor_func_t pDestructor, int persistent, zend_bool bApplyProtection);
ZEND_API void zend_hash_destroy(HashTable *ht);
ZEND_API void zend_hash_clean(HashTable *ht);
Please sign in to comment.
Something went wrong with that request. Please try again.