From 950d5ee590214742799836d3d939ee59f641bdf4 Mon Sep 17 00:00:00 2001 From: Nuno Lopes Date: Fri, 11 May 2012 12:50:29 -0400 Subject: [PATCH 1/3] fix stack overflow in php_intlog10abs() bug uncovered by LLVM/clang's new -fbounds-checking switch this patch fixes a crash in ext/standard/tests/math/round_large_exp.phpt --- ext/standard/math.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/standard/math.c b/ext/standard/math.c index 21c730c928560..749c77c75c7c3 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -37,7 +37,7 @@ static inline int php_intlog10abs(double value) { int result; value = fabs(value); - if (value < 1e-8 || value > 1e23) { + if (value < 1e-8 || value > 1e22) { result = (int)floor(log10(value)); } else { static const double values[] = { @@ -46,7 +46,7 @@ static inline int php_intlog10abs(double value) { 1e8, 1e9, 1e10, 1e11, 1e12, 1e13, 1e14, 1e15, 1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22}; /* Do a binary search with 5 steps */ - result = 16; + result = 15; if (value < values[result]) { result -= 8; } else { From 8b4b70df56e14be0f7172b5cc5f8da44b3272ac3 Mon Sep 17 00:00:00 2001 From: Nuno Lopes Date: Fri, 11 May 2012 12:50:29 -0400 Subject: [PATCH 2/3] fix stack overflow in php_intlog10abs() bug uncovered by LLVM/clang's new -fbounds-checking switch this patch fixes a crash in ext/standard/tests/math/round_large_exp.phpt --- ext/standard/math.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/standard/math.c b/ext/standard/math.c index 302fbdae488f1..65187f6fa10f3 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -37,7 +37,7 @@ static inline int php_intlog10abs(double value) { int result; value = fabs(value); - if (value < 1e-8 || value > 1e23) { + if (value < 1e-8 || value > 1e22) { result = (int)floor(log10(value)); } else { static const double values[] = { @@ -46,7 +46,7 @@ static inline int php_intlog10abs(double value) { 1e8, 1e9, 1e10, 1e11, 1e12, 1e13, 1e14, 1e15, 1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22}; /* Do a binary search with 5 steps */ - result = 16; + result = 15; if (value < values[result]) { result -= 8; } else { From 3332943c9d20a8b5e09816b11f38742de0e16085 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Sat, 12 May 2012 13:13:44 +0800 Subject: [PATCH 3/3] Fixed Bug #62005 (unexpected behavior when incrementally assigning to a member of a null object) --- NEWS | 2 ++ Zend/tests/bug62005.phpt | 15 +++++++++++++++ Zend/zend_execute.c | 3 +-- 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 Zend/tests/bug62005.phpt diff --git a/NEWS b/NEWS index e9c13701cfd4b..1057db7d84673 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,8 @@ PHP NEWS (Laruence) - Core: + . Fixed bug #62005 (unexpected behavior when incrementally assigning to a + member of a null object). (Laruence) . Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference). (Laruence) . Fixed missing bound check in iptcparse(). (chris at chiappa.net) diff --git a/Zend/tests/bug62005.phpt b/Zend/tests/bug62005.phpt new file mode 100644 index 0000000000000..4ff4b2ca9a75a --- /dev/null +++ b/Zend/tests/bug62005.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #62005 (unexpected behavior when incrementally assigning to a member of a null object) +--FILE-- +energy += $points; + print_r($player); +} +add_points(NULL, 2); +--EXPECTF-- +Strict Standards: Creating default object from empty value in %sbug62005.php on line %d +stdClass Object +( + [energy] => 2 +) diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 705c71389db31..4423921649f6f 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -432,11 +432,10 @@ static inline void make_real_object(zval **object_ptr TSRMLS_DC) || (Z_TYPE_PP(object_ptr) == IS_BOOL && Z_LVAL_PP(object_ptr) == 0) || (Z_TYPE_PP(object_ptr) == IS_STRING && Z_STRLEN_PP(object_ptr) == 0) ) { - zend_error(E_STRICT, "Creating default object from empty value"); - SEPARATE_ZVAL_IF_NOT_REF(object_ptr); zval_dtor(*object_ptr); object_init(*object_ptr); + zend_error(E_STRICT, "Creating default object from empty value"); } }