php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-29 11:13:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed a potential segfault in zend_objects_store_free_object_storage()

Browse Source 
Under the special circumstance where a garbage collected objects bucket slot was not reused until the end of the script, we get access into freed memory...
No test added as it usually is valgrind-only, and only sometimes when the memory happens to have changed (i.e. (GC_FLAGS(obj) & IS_OBJ_FREE_CALLED) == 0), it actually *may* segfault
This commit is contained in:
Bob Weinand
2016-07-27 18:08:43 +02:00
parent 23c359c276
commit 5513f00a97
2 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
NEWS
+2
View File
@@ -20,6 +20,8 @@ PHP NEWS
phpize). (Yuji Uchiyama)
. Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
(Yuji Uchiyama)
. Fixed potential segfault in object storage freeing in shutdown sequence.
(Bob)
- COM:
. Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7). (Anatol)
Zend/zend_gc.c
+1
View File
@@ -1097,6 +1097,7 @@ ZEND_API int zend_gc_collect_cycles(void)
if (EG(objects_store).object_buckets &&
IS_OBJ_VALID(EG(objects_store).object_buckets[obj->handle])) {
EG(objects_store).object_buckets[obj->handle] = SET_OBJ_INVALID(obj);
GC_TYPE(obj) = IS_NULL;
if (!(GC_FLAGS(obj) & IS_OBJ_FREE_CALLED)) {
GC_FLAGS(obj) |= IS_OBJ_FREE_CALLED;