php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-30 04:02:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-7.1'

Browse Source 
* PHP-7.1:
  Fixed segfault introduced in 447e57a1e1
  Remove outdate checks

Conflicts:
	ext/opcache/Optimizer/zend_inference.c
This commit is contained in:
Xinchen Hui
2016-08-18 15:39:23 +08:00
parent 9468016a5b 66a527b8c1
commit eefe3ec786
3 changed files with 11 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ext/opcache/Optimizer/zend_inference.c
View File

@@ -3695,12 +3695,14 @@ static zend_bool can_convert_to_double(
static int zend_type_narrowing(const zend_op_array *op_array, const zend_script *script, zend_ssa *ssa)
{
uint32_t bitset_len = zend_bitset_len(ssa->vars_count);
ALLOCA_FLAG(use_heap)
zend_bitset visited = ZEND_BITSET_ALLOCA(2 * bitset_len, use_heap);
zend_bitset worklist = visited + bitset_len;
zend_bitset visited, worklist;
int i, v;
zend_op *opline;
zend_bool narrowed = 0;
ALLOCA_FLAG(use_heap)
visited = ZEND_BITSET_ALLOCA(2 * bitset_len, use_heap);
worklist = visited + bitset_len;
zend_bitset_clear(worklist, bitset_len);

16
ext/session/session.c
View File

@@ -835,7 +835,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
PHP_VAR_UNSERIALIZE_INIT(var_hash);
for (p = val; p < endptr; ) {
zval *tmp;
skip = 0;
namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
@@ -850,13 +849,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
p += namelen + 1;
if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
if ((Z_TYPE_P(tmp) == IS_ARRAY &&
Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
skip = 1;
}
}
if (has_value) {
zval *current, rv;
current = var_tmp_var(&var_hash);
@@ -933,7 +925,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
p = val;
while (p < endptr) {
zval *tmp;
q = p;
skip = 0;
while (*q != PS_DELIMITER) {
@@ -950,13 +941,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
name = zend_string_init(p, namelen, 0);
q++;
if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
if ((Z_TYPE_P(tmp) == IS_ARRAY &&
Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
skip = 1;
}
}
if (has_value) {
zval *current, rv;
current = var_tmp_var(&var_hash);

7
ext/session/tests/bug72681.phpt
View File

@@ -6,12 +6,17 @@ Bug #72681: PHP Session Data Injection Vulnerability
<?php
ini_set('session.serialize_handler', 'php');
session_start();
$GLOBALS['ryat'] = $GLOBALS;
$GLOBALS['ryat'] = $_SESSION;
$_SESSION['ryat'] = 'ryat|O:8:"stdClass":0:{}';
session_write_close();
session_start();
var_dump($ryat);
var_dump($_SESSION);
?>
--EXPECT--
array(0) {
}
array(1) {
["ryat"]=>
string(24) "ryat|O:8:"stdClass":0:{}"
}