Permalink
Browse files

Fix bug #10287 - avoid crashing under a bogus usage of list()

  • Loading branch information...
zsuraski committed Jul 16, 2001
1 parent cdf0532 commit 43ebb86806501e2d84e075abc6da5b6a1a38db74
Showing with 22 additions and 4 deletions.
  1. +4 −2 Zend/zend_API.h
  2. +15 −0 Zend/zend_compile.c
  3. +1 −0 Zend/zend_globals.h
  4. +2 −2 Zend/zend_variables.c
View
@@ -243,9 +243,12 @@ ZEND_API int zend_set_hash_symbol(zval *symbol, char *name, int name_length,
#if ZEND_DEBUG
#define CHECK_ZVAL_STRING(z) \
-if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s)",(z)->value.str.val);
+ if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s)", (z)->value.str.val);
+#define CHECK_ZVAL_STRING_REL(z) \
+ if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", (z)->value.str.val ZEND_FILE_LINE_RELAY_CC);
#else
#define CHECK_ZVAL_STRING(z)
+#define CHECK_ZVAL_STRING_REL(z)
#endif
#define ZVAL_RESOURCE(z,l) { \
@@ -284,7 +287,6 @@ if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "Str
(z)->value.str.len = __l; \
(z)->value.str.val = (duplicate?estrndup(__s,__l):__s); \
(z)->type = IS_STRING; \
- CHECK_ZVAL_STRING(z); \
}
#define ZVAL_EMPTY_STRING(z) { \
View
@@ -77,6 +77,7 @@ void zend_init_compiler_data_structures(CLS_D)
CG(active_ce_parent_class_name).value.str.val = NULL;
zend_llist_init(&CG(list_llist), sizeof(list_llist_element), NULL, 0);
zend_llist_init(&CG(dimension_llist), sizeof(int), NULL, 0);
+ zend_stack_init(&CG(list_stack));
CG(handle_op_arrays) = 1;
CG(in_compilation) = 0;
init_compiler_declarables(CLS_C);
@@ -101,6 +102,7 @@ void shutdown_compiler(CLS_D)
zend_stack_destroy(&CG(foreach_copy_stack));
zend_stack_destroy(&CG(object_stack));
zend_stack_destroy(&CG(declare_stack));
+ zend_stack_destroy(&CG(list_stack));
zend_hash_destroy(&CG(filenames_table));
zend_llist_destroy(&CG(open_files));
}
@@ -1853,6 +1855,8 @@ void zend_do_new_list_end(CLS_D)
void zend_do_list_init(CLS_D)
{
+ zend_stack_push(&CG(list_stack), &CG(list_llist), sizeof(zend_llist));
+ zend_stack_push(&CG(list_stack), &CG(dimension_llist), sizeof(zend_llist));
zend_llist_init(&CG(list_llist), sizeof(list_llist_element), NULL, 0);
zend_llist_init(&CG(dimension_llist), sizeof(int), NULL, 0);
zend_do_new_list_begin(CLS_C);
@@ -1911,6 +1915,17 @@ void zend_do_list_end(znode *result, znode *expr CLS_DC)
zend_llist_destroy(&CG(dimension_llist));
zend_llist_destroy(&CG(list_llist));
*result = *expr;
+ {
+ zend_llist *p;
+
+ /* restore previous lists */
+ zend_stack_top(&CG(list_stack), (void **) &p);
+ CG(dimension_llist) = *p;
+ zend_stack_del_top(&CG(list_stack));
+ zend_stack_top(&CG(list_stack), (void **) &p);
+ CG(list_llist) = *p;
+ zend_stack_del_top(&CG(list_stack));
+ }
}
View
@@ -78,6 +78,7 @@ struct _zend_compiler_globals {
/* variables for list() compilation */
zend_llist list_llist;
zend_llist dimension_llist;
+ zend_stack list_stack;
zend_stack function_call_stack;
View
@@ -40,7 +40,7 @@ ZEND_API void _zval_dtor(zval *zvalue ZEND_FILE_LINE_DC)
switch(zvalue->type) {
case IS_STRING:
case IS_CONSTANT:
- CHECK_ZVAL_STRING(zvalue);
+ CHECK_ZVAL_STRING_REL(zvalue);
STR_FREE_REL(zvalue->value.str.val);
break;
case IS_ARRAY:
@@ -96,7 +96,7 @@ ZEND_API int _zval_copy_ctor(zval *zvalue ZEND_FILE_LINE_DC)
return SUCCESS;
}
}
- CHECK_ZVAL_STRING(zvalue);
+ CHECK_ZVAL_STRING_REL(zvalue);
zvalue->value.str.val = (char *) estrndup_rel(zvalue->value.str.val, zvalue->value.str.len);
break;
case IS_ARRAY:

0 comments on commit 43ebb86

Please sign in to comment.