Fix bug #69227 and #65967 #1175
Conversation
This patch fixes a use (in zend_gc.c) after free (in spl_observer.c). See https://bugs.php.net/bug.php?id=69227
|
from my first glance, I don't think this could fixed bug 69227 , because you still erealloc (free previously allocated zval*[]) while doing recursively call to get_gc.. |
|
but maybe your are right, it only do realloc while elements are changed... |
|
@laruence the realloc should only ever get triggered on the first call, or after modification of the collection, never during a gc run. |
|
@vektah Anyway, this break ABI BC... and SPL is used by some exts, so maybe could only goes into PHP 7 even if it is works.. that means, we still needs some ugly fix for 5.x |
|
hmm, after a second thought , I think it's okey, only appending... thanks... this seems much better than previouse ugly hack |
| Z_ARRVAL_P(gcdata_arr)->pDestructor = NULL; | ||
| if (requiredLength > intern->gcdata_len) { | ||
| if (intern->gcdata_len > 0) { | ||
| efree(intern->gcdata); |
There was a problem hiding this comment.
why efree here, you use erealloc blow anyway.
There was a problem hiding this comment.
Initially I was doing free/emalloc. Missed it when I switched to erealloc. Oops!
| @@ -86,6 +86,8 @@ typedef struct _spl_SplObjectStorage { /* {{{ */ | |||
| long flags; | |||
| zend_function *fptr_get_hash; | |||
| HashTable *debug_info; | |||
| zval **gcdata; | |||
| long gcdata_len; | |||
There was a problem hiding this comment.
Do you mean count? length seems not a good name for this.
|
merged after a little improvement, thanks |
|
@laruence Should this be |
|
@vektah yeah, it was a typo, fixed, thanks |
See https://bugs.php.net/bug.php?id=69227
The old:
SplObjectStorage had a get_gc method that returns SplObjectStorage->properties. A hidden
\x00gcdataproperty is added as an array so the gc can iterate over the contents of the collection. This was added to address https://bugs.php.net/bug.php?id=53071.When a SplObjectStorage has a reference to itself in its collection (directly or indirectly) the gc will fetch a copy of gcdata, then going depth first into its children it hits itself a second time at which point it truncates the existing gcdata hash and fills it with the same data. This frees the pointer being held by the first pass of gcdata. Use after free ensues.
The new:
This patch removes the hidden
\x00gcdataproperty from SplObjectStorage, replacing it with a list of zval*'s. Unlike a linked list updating the contents of a flat array does not invalidate the callers reference. Also the values never really change as the underlying collection does not change during gcThis fixes the free after use, and other bugs resulting from gcdata being a property (eg https://bugs.php.net/bug.php?id=65967)
This is broken in 5.* and master, but master will require a different patch as the gc has changed a little.