php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

ext/pdo: Fix zend_object std layout for _pdo_row_t (#17606)

Browse Source 
As of PHP 7 [1] the `std` should be at the end of the struct instead of at the beginning.

See GH-17598 for more UB related details.

[1] https://www.npopov.com/2015/06/19/Internal-value-representation-in-PHP-7-part-2.html#objects-in-php-7
This commit is contained in:
Gina Peter Banyard
2025-01-29 12:50:01 +00:00
committed by GitHub
parent 0a14ab18d2
commit b667939b57
2 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ext/pdo/pdo_stmt.c
View File

@@ -2267,7 +2267,7 @@ static zval *row_read_column_number(pdo_stmt_t *stmt, zend_long column, zval *rv
static zval *row_prop_read(zend_object *object, zend_string *name, int type, void **cache_slot, zval *rv)
{
pdo_row_t *row = (pdo_row_t *)object;
pdo_row_t *row = php_pdo_row_fetch_object(object);
pdo_stmt_t *stmt = row->stmt;
zend_long lval;
zval *retval;
@@ -2304,7 +2304,7 @@ static zval *row_dim_read(zend_object *object, zval *offset, int type, zval *rv)
return NULL;
}
if (Z_TYPE_P(offset) == IS_LONG) {
pdo_row_t *row = (pdo_row_t *)object;
pdo_row_t *row = php_pdo_row_fetch_object(object);
pdo_stmt_t *stmt = row->stmt;
ZEND_ASSERT(stmt);
@@ -2342,7 +2342,7 @@ static void row_dim_write(zend_object *object, zval *member, zval *value)
// todo: make row_prop_exists return bool as well
static int row_prop_exists(zend_object *object, zend_string *name, int check_empty, void **cache_slot)
{
pdo_row_t *row = (pdo_row_t *)object;
pdo_row_t *row = php_pdo_row_fetch_object(object);
pdo_stmt_t *stmt = row->stmt;
zend_long lval;
zval tmp_val;
@@ -2370,7 +2370,7 @@ static int row_prop_exists(zend_object *object, zend_string *name, int check_emp
static int row_dim_exists(zend_object *object, zval *offset, int check_empty)
{
if (Z_TYPE_P(offset) == IS_LONG) {
pdo_row_t *row = (pdo_row_t *)object;
pdo_row_t *row = php_pdo_row_fetch_object(object);
pdo_stmt_t *stmt = row->stmt;
ZEND_ASSERT(stmt);
zend_long column = Z_LVAL_P(offset);
@@ -2411,7 +2411,7 @@ static void row_dim_delete(zend_object *object, zval *offset)
static HashTable *row_get_properties_for(zend_object *object, zend_prop_purpose purpose)
{
pdo_row_t *row = (pdo_row_t *)object;
pdo_row_t *row = php_pdo_row_fetch_object(object);
pdo_stmt_t *stmt = row->stmt;
HashTable *props;
int i;
@@ -2453,7 +2453,7 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name
void pdo_row_free_storage(zend_object *std)
{
pdo_row_t *row = (pdo_row_t *)std;
pdo_row_t *row = php_pdo_row_fetch_object(std);
if (row->stmt) {
ZVAL_UNDEF(&row->stmt->lazy_object_ref);
OBJ_RELEASE(&row->stmt->std);
@@ -2490,6 +2490,7 @@ void pdo_stmt_init(void)
pdo_row_ce->default_object_handlers = &pdo_row_object_handlers;
memcpy(&pdo_row_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
pdo_row_object_handlers.offset = XtOffsetOf(pdo_row_t, std);
pdo_row_object_handlers.free_obj = pdo_row_free_storage;
pdo_row_object_handlers.clone_obj = NULL;
pdo_row_object_handlers.get_property_ptr_ptr = pdo_row_get_property_ptr_ptr;

6
ext/pdo/php_pdo_driver.h
View File

@@ -643,10 +643,14 @@ static inline pdo_stmt_t *php_pdo_stmt_fetch_object(zend_object *obj) {
#define Z_PDO_STMT_P(zv) php_pdo_stmt_fetch_object(Z_OBJ_P((zv)))
struct _pdo_row_t {
zend_object std;
pdo_stmt_t *stmt;
zend_object std;
};
static inline pdo_row_t *php_pdo_row_fetch_object(zend_object *obj) {
return (pdo_row_t *)((char*)(obj) - XtOffsetOf(pdo_row_t, std));
}
struct _pdo_scanner_t {
const char *ptr, *cur, *tok, *end;
};