From 8ff2b6abb2cd0993f6c5c60e25feba094cdb6272 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 5 Jan 2023 22:11:15 +0100 Subject: [PATCH 1/2] Fix GH-9710: phpdbg memory leaks by option "-h" Closes GH-10237 Signed-off-by: George Peter Banyard --- NEWS | 1 + sapi/phpdbg/phpdbg.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 76c801f136a..24b7c9a9e70 100644 --- a/NEWS +++ b/NEWS @@ -33,6 +33,7 @@ PHP NEWS - PHPDBG: . Fix undefined behaviour in phpdbg_load_module_or_extension(). (nielsdos) . Fix NULL pointer dereference in phpdbg_create_conditional_breal(). (nielsdos) + . Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos) - Posix: . Fix memory leak in posix_ttyname() (girgias) diff --git a/sapi/phpdbg/phpdbg.c b/sapi/phpdbg/phpdbg.c index 221803f88e7..e1824ecb1fc 100644 --- a/sapi/phpdbg/phpdbg.c +++ b/sapi/phpdbg/phpdbg.c @@ -1414,6 +1414,8 @@ phpdbg_main: get_zend_version() ); } + PHPDBG_G(flags) |= PHPDBG_IS_QUITTING; + php_module_shutdown(); sapi_deactivate(); sapi_shutdown(); if (ini_entries) { From d03025bf590dc03b69e75d1159ed4b2e6ee6ad37 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 7 Jan 2023 13:49:24 +0100 Subject: [PATCH 2/2] Fix GH-10251: Assertion `(flag & (1<<3)) == 0' failed. zend_get_property_guard previously assumed that at least "str" has a pre-computed hash. This is not always the case, for example when a string is created by bitwise operations, its hash is not set. Instead of forcing a computation of the hashes, drop the hash comparison. Closes GH-10254 Co-authored-by: Changochen Signed-off-by: George Peter Banyard --- NEWS | 1 + Zend/tests/gh10251.phpt | 24 ++++++++++++++++++++++++ Zend/zend_object_handlers.c | 5 ++--- 3 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 Zend/tests/gh10251.phpt diff --git a/NEWS b/NEWS index 24b7c9a9e70..ad29b8f6118 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,7 @@ PHP NEWS - Core: . Fixed bug GH-10072 (PHP crashes when execute_ex is overridden and a __call trampoline is used from internal code). (Derick) + . Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed). (nielsdos) - Date: . Fixed bug GH-9891 (DateTime modify with unixtimestamp (@) must work like diff --git a/Zend/tests/gh10251.phpt b/Zend/tests/gh10251.phpt new file mode 100644 index 00000000000..eb942824802 --- /dev/null +++ b/Zend/tests/gh10251.phpt @@ -0,0 +1,24 @@ +--TEST-- +GH-10251 (Assertion `(flag & (1<<3)) == 0' failed.) +--FILE-- +$p = $v; + } +} +$a = new A(); +$pp = ""; +$op = $pp & ""; +// Bitwise operators on strings don't compute the hash. +// The code below previously assumed a hash was actually computed, leading to a crash. +$a->$op = 0; +echo "Done\n"; +?> +--EXPECTF-- +Warning: Undefined variable $v in %s on line %d + +Warning: Undefined variable $p in %s on line %d +Done diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 5fa80c1adc5..e4ae4450b53 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -535,9 +535,8 @@ ZEND_API uint32_t *zend_get_property_guard(zend_object *zobj, zend_string *membe if (EXPECTED(Z_TYPE_P(zv) == IS_STRING)) { zend_string *str = Z_STR_P(zv); if (EXPECTED(str == member) || - /* "str" always has a pre-calculated hash value here */ - (EXPECTED(ZSTR_H(str) == zend_string_hash_val(member)) && - EXPECTED(zend_string_equal_content(str, member)))) { + /* str and member don't necessarily have a pre-calculated hash value here */ + EXPECTED(zend_string_equal_content(str, member))) { return &Z_PROPERTY_GUARD_P(zv); } else if (EXPECTED(Z_PROPERTY_GUARD_P(zv) == 0)) { zval_ptr_dtor_str(zv);