Permalink
Browse files

fix bug #36898 (__set() leaks in classes extending internal ones)

Added:
ZEND_API void zend_object_std_init(zend_object *object, zend_class_entry *ce TSRMLS_DC)
ZEND_API void zend_object_std_dtor(zend_object *object TSRMLS_DC)

to initialize and destroy zend_object structs
  • Loading branch information...
1 parent 697c652 commit 59b8592c8cb51599147f990ad8b61d8d02cfce05 @tony2001 tony2001 committed Mar 29, 2006
View
2 NEWS
@@ -12,6 +12,8 @@ PHP NEWS
- Removed the E_STRICT deprecation notice from "var". (Ilia)
- Fixed debug_zval_dump() to support private and protected members. (Dmitry)
- Fixed SoapFault::getMessage(). (Dmitry)
+- Fixed bug #36898 (__set() leaks in classes extending internal ones).
+ (Tony, Dmitry)
- Fixed bug #36886 (User filters can leak buckets in some situations). (Ilia)
- Fixed bug #36878 (error messages are printed even though an exception has
been thrown). (Tony)
View
@@ -25,6 +25,26 @@
#include "zend_API.h"
#include "zend_interfaces.h"
+ZEND_API void zend_object_std_init(zend_object *object, zend_class_entry *ce TSRMLS_DC)
+{
+ ALLOC_HASHTABLE(object->properties);
+ zend_hash_init(object->properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+
+ object->ce = ce;
+ object->guards = NULL;
+}
+
+ZEND_API void zend_object_std_dtor(zend_object *object TSRMLS_DC)
+{
+ if (object->guards) {
+ zend_hash_destroy(object->guards);
+ FREE_HASHTABLE(object->guards);
+ }
+ if (object->properties) {
+ zend_hash_destroy(object->properties);
+ FREE_HASHTABLE(object->properties);
+ }
+}
ZEND_API void zend_objects_destroy_object(zend_object *object, zend_object_handle handle TSRMLS_DC)
{
@@ -88,12 +108,7 @@ ZEND_API void zend_objects_destroy_object(zend_object *object, zend_object_handl
ZEND_API void zend_objects_free_object_storage(zend_object *object TSRMLS_DC)
{
- if (object->guards) {
- zend_hash_destroy(object->guards);
- FREE_HASHTABLE(object->guards);
- }
- zend_hash_destroy(object->properties);
- FREE_HASHTABLE(object->properties);
+ zend_object_std_dtor(object TSRMLS_CC);
efree(object);
}
View
@@ -25,6 +25,8 @@
#include "zend.h"
BEGIN_EXTERN_C()
+ZEND_API void zend_object_std_init(zend_object *object, zend_class_entry *ce TSRMLS_DC);
+ZEND_API void zend_object_std_dtor(zend_object *object TSRMLS_DC);
ZEND_API zend_object_value zend_objects_new(zend_object **object, zend_class_entry *class_type TSRMLS_DC);
ZEND_API void zend_objects_destroy_object(zend_object *object, zend_object_handle handle TSRMLS_DC);
ZEND_API zend_object *zend_objects_get_address(zval *object TSRMLS_DC);
@@ -708,8 +708,7 @@ static void helper_free_storage(void *obj TSRMLS_DC)
if (object->unk) {
IUnknown_Release(object->unk);
}
- zend_hash_destroy(object->std.properties);
- FREE_HASHTABLE(object->std.properties);
+ zend_object_std_dtor(&object->std TSRMLS_CC);
efree(object);
}
@@ -722,9 +721,8 @@ static void helper_clone(void *obj, void **clone_ptr TSRMLS_DC)
memcpy(clone, object, sizeof(*object));
*clone_ptr = clone;
- ALLOC_HASHTABLE(clone->std.properties);
- zend_hash_init(clone->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
-
+ zend_object_std_init(&clone->std, object->std.ce TSRMLS_CC);
+
if (clone->ipf) {
IPersistFile_AddRef(clone->ipf);
}
@@ -747,9 +745,7 @@ static zend_object_value helper_new(zend_class_entry *ce TSRMLS_DC)
helper = emalloc(sizeof(*helper));
memset(helper, 0, sizeof(*helper));
- ALLOC_HASHTABLE(helper->std.properties);
- zend_hash_init(helper->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
- helper->std.ce = helper_ce;
+ zend_object_std_init(&helper->std, helper_ce TSRMLS_CC);
retval.handle = zend_objects_store_put(helper, NULL, helper_free_storage, helper_clone TSRMLS_CC);
retval.handlers = &helper_handlers;
View
@@ -1230,10 +1230,8 @@ static zend_object_value date_object_new_date(zend_class_entry *class_type TSRML
intern = emalloc(sizeof(php_date_obj));
memset(intern, 0, sizeof(php_date_obj));
- intern->std.ce = class_type;
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_date, NULL TSRMLS_CC);
@@ -1250,10 +1248,8 @@ static zend_object_value date_object_new_timezone(zend_class_entry *class_type T
intern = emalloc(sizeof(php_timezone_obj));
memset(intern, 0, sizeof(php_timezone_obj));
- intern->std.ce = class_type;
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_timezone, NULL TSRMLS_CC);
@@ -1273,25 +1269,15 @@ static void date_object_free_storage_date(void *object TSRMLS_DC)
timelib_time_dtor(intern->time);
}
- if (intern->std.properties) {
- zend_hash_destroy(intern->std.properties);
- efree(intern->std.properties);
- intern->std.properties = NULL;
- }
-
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
efree(object);
}
static void date_object_free_storage_timezone(void *object TSRMLS_DC)
{
php_timezone_obj *intern = (php_timezone_obj *)object;
- if (intern->std.properties) {
- zend_hash_destroy(intern->std.properties);
- efree(intern->std.properties);
- intern->std.properties = NULL;
- }
-
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
efree(object);
}
View
@@ -906,8 +906,7 @@ void dom_xpath_objects_free_storage(void *object TSRMLS_DC)
{
dom_object *intern = (dom_object *)object;
- zend_hash_destroy(intern->std.properties);
- FREE_HASHTABLE(intern->std.properties);
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
if (intern->ptr != NULL) {
xmlXPathFreeContext((xmlXPathContextPtr) intern->ptr);
@@ -926,8 +925,7 @@ void dom_objects_free_storage(void *object TSRMLS_DC)
dom_object *intern = (dom_object *)object;
int retcount;
- zend_hash_destroy(intern->std.properties);
- FREE_HASHTABLE(intern->std.properties);
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
if (intern->ptr != NULL && ((php_libxml_node_ptr *)intern->ptr)->node != NULL) {
if (((xmlNodePtr) ((php_libxml_node_ptr *)intern->ptr)->node)->type != XML_DOCUMENT_NODE && ((xmlNodePtr) ((php_libxml_node_ptr *)intern->ptr)->node)->type != XML_HTML_DOCUMENT_NODE) {
@@ -973,8 +971,6 @@ static dom_object* dom_objects_set_class(zend_class_entry *class_type, zend_bool
dom_object *intern;
intern = emalloc(sizeof(dom_object));
- intern->std.ce = class_type;
- intern->std.guards = NULL;
intern->ptr = NULL;
intern->prop_handler = NULL;
intern->document = NULL;
@@ -986,8 +982,7 @@ static dom_object* dom_objects_set_class(zend_class_entry *class_type, zend_bool
zend_hash_find(&classes, base_class->name, base_class->name_length + 1, (void **) &intern->prop_handler);
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
if (hash_copy) {
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
}
@@ -1092,8 +1087,7 @@ void dom_nnodemap_objects_free_storage(void *object TSRMLS_DC)
php_libxml_decrement_doc_ref((php_libxml_node_object *)intern TSRMLS_CC);
- zend_hash_destroy(intern->std.properties);
- FREE_HASHTABLE(intern->std.properties);
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
efree(object);
}
View
@@ -123,8 +123,9 @@ void php_clear_mysql(MY_MYSQL *mysql) {
static void mysqli_objects_free_storage(zend_object *object TSRMLS_DC)
{
mysqli_object *intern = (mysqli_object *)object;
-
- zend_objects_free_object_storage(&(intern->zo) TSRMLS_CC);
+
+ zend_object_std_dtor(&intern->zo TSRMLS_CC);
+ efree(intern);
}
/* }}} */
@@ -332,8 +333,6 @@ PHP_MYSQLI_EXPORT(zend_object_value) mysqli_objects_new(zend_class_entry *class_
intern = emalloc(sizeof(mysqli_object));
memset(intern, 0, sizeof(mysqli_object));
- intern->zo.ce = class_type;
- intern->zo.guards = NULL;
intern->ptr = NULL;
intern->prop_handler = NULL;
@@ -345,8 +344,7 @@ PHP_MYSQLI_EXPORT(zend_object_value) mysqli_objects_new(zend_class_entry *class_
zend_hash_find(&classes, mysqli_base_class->name, mysqli_base_class->name_length + 1,
(void **) &intern->prop_handler);
- ALLOC_HASHTABLE(intern->zo.properties);
- zend_hash_init(intern->zo.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,
(void *) &tmp, sizeof(zval *));
@@ -240,9 +240,7 @@ static void reflection_objects_clone(void *object, void **object_clone TSRMLS_DC
reflection_object **intern_clone = (reflection_object **) object_clone;
*intern_clone = emalloc(sizeof(reflection_object));
- (*intern_clone)->zo.ce = intern->zo.ce;
- (*intern_clone)->zo.guards = NULL;
- ALLOC_HASHTABLE((*intern_clone)->zo.properties);
+ zend_object_std_init(&(*intern_clone)->zo, intern->zo.ce TSRMLS_CC);
(*intern_clone)->ptr = intern->ptr;
(*intern_clone)->free_ptr = intern->free_ptr;
(*intern_clone)->obj = intern->obj;
@@ -264,8 +262,7 @@ static zend_object_value reflection_objects_new(zend_class_entry *class_type TSR
intern->obj = NULL;
intern->free_ptr = 0;
- ALLOC_HASHTABLE(intern->zo.properties);
- zend_hash_init(intern->zo.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
retval.handle = zend_objects_store_put(intern, NULL, reflection_free_objects_storage, reflection_objects_clone TSRMLS_CC);
retval.handlers = &reflection_object_handlers;
@@ -1785,9 +1785,8 @@ static void sxe_object_free_storage(void *object TSRMLS_DC)
sxe = (php_sxe_object *) object;
- zend_hash_destroy(sxe->zo.properties);
- FREE_HASHTABLE(sxe->zo.properties);
-
+ zend_object_std_dtor(&sxe->zo TSRMLS_CC);
+
php_libxml_node_decrement_resource((php_libxml_node_object *)sxe TSRMLS_CC);
if (sxe->xpath) {
@@ -1810,14 +1809,12 @@ static php_sxe_object* php_sxe_object_new(zend_class_entry *ce TSRMLS_DC)
php_sxe_object *intern;
intern = ecalloc(1, sizeof(php_sxe_object));
- intern->zo.ce = ce;
intern->iter.type = SXE_ITER_NONE;
intern->iter.nsprefix = NULL;
intern->iter.name = NULL;
- ALLOC_HASHTABLE(intern->zo.properties);
- zend_hash_init(intern->zo.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->zo, ce TSRMLS_CC);
return intern;
}
View
@@ -103,8 +103,7 @@ static void spl_array_object_free_storage(void *object TSRMLS_DC)
{
spl_array_object *intern = (spl_array_object *)object;
- zend_hash_destroy(intern->std.properties);
- FREE_HASHTABLE(intern->std.properties);
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
zval_ptr_dtor(&intern->array);
zval_ptr_dtor(&intern->retval);
@@ -124,12 +123,10 @@ static zend_object_value spl_array_object_new_ex(zend_class_entry *class_type, s
intern = emalloc(sizeof(spl_array_object));
memset(intern, 0, sizeof(spl_array_object));
- intern->std.ce = class_type;
*obj = intern;
ALLOC_INIT_ZVAL(intern->retval);
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
intern->ar_flags = 0;
View
@@ -73,9 +73,9 @@ static void spl_filesystem_object_free_storage(void *object TSRMLS_DC) /* {{{ */
if (intern->oth_handler && intern->oth_handler->dtor) {
intern->oth_handler->dtor(intern TSRMLS_CC);
}
- zend_hash_destroy(intern->std.properties);
- FREE_HASHTABLE(intern->std.properties);
-
+
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
+
if (intern->path) {
efree(intern->path);
}
@@ -132,14 +132,12 @@ static zend_object_value spl_filesystem_object_new_ex(zend_class_entry *class_ty
intern = emalloc(sizeof(spl_filesystem_object));
memset(intern, 0, sizeof(spl_filesystem_object));
- intern->std.ce = class_type;
/* intern->type = SPL_FS_INFO; done by set 0 */
intern->file_class = spl_ce_SplFileObject;
intern->info_class = spl_ce_SplFileInfo;
if (obj) *obj = intern;
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t) zend_objects_destroy_object, (zend_objects_free_object_storage_t) spl_filesystem_object_free_storage, NULL TSRMLS_CC);
View
@@ -670,8 +670,7 @@ static void spl_RecursiveIteratorIterator_free_storage(void *_object TSRMLS_DC)
object->iterators = NULL;
}
- zend_hash_destroy(object->std.properties);
- FREE_HASHTABLE(object->std.properties);
+ zend_object_std_dtor(&object->std TSRMLS_CC);
efree(object);
}
@@ -686,10 +685,8 @@ static zend_object_value spl_RecursiveIteratorIterator_new(zend_class_entry *cla
intern = emalloc(sizeof(spl_recursive_it_object));
memset(intern, 0, sizeof(spl_recursive_it_object));
- intern->std.ce = class_type;
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) spl_RecursiveIteratorIterator_free_storage, NULL TSRMLS_CC);
@@ -1271,8 +1268,7 @@ static inline void spl_dual_it_free_storage(void *_object TSRMLS_DC)
zval_ptr_dtor(&object->u.append.zarrayit);
}
- zend_hash_destroy(object->std.properties);
- FREE_HASHTABLE(object->std.properties);
+ zend_object_std_dtor(&object->std TSRMLS_CC);
efree(object);
}
@@ -1287,11 +1283,9 @@ static zend_object_value spl_dual_it_new(zend_class_entry *class_type TSRMLS_DC)
intern = emalloc(sizeof(spl_dual_it_object));
memset(intern, 0, sizeof(spl_dual_it_object));
- intern->std.ce = class_type;
intern->dit_type = DIT_Unknown;
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) spl_dual_it_free_storage, NULL TSRMLS_CC);
View
@@ -85,9 +85,8 @@ void spl_SplOjectStorage_free_storage(void *object TSRMLS_DC) /* {{{ */
{
spl_SplObjectStorage *intern = (spl_SplObjectStorage *)object;
- zend_hash_destroy(intern->std.properties);
- FREE_HASHTABLE(intern->std.properties);
-
+ zend_object_std_dtor(&intern->std TSRMLS_CC);
+
zend_hash_destroy(&intern->storage);
efree(object);
@@ -101,11 +100,9 @@ static zend_object_value spl_object_storage_new_ex(zend_class_entry *class_type,
intern = emalloc(sizeof(spl_SplObjectStorage));
memset(intern, 0, sizeof(spl_SplObjectStorage));
- intern->std.ce = class_type;
*obj = intern;
- ALLOC_HASHTABLE(intern->std.properties);
- zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_object_std_init(&intern->std, class_type TSRMLS_CC);
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
zend_hash_init(&intern->storage, 0, NULL, ZVAL_PTR_DTOR, 0);
Oops, something went wrong.

0 comments on commit 59b8592

Please sign in to comment.