php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding

Browse Source 
zend_array_dup_ht_iterators() loops over the hash table iterators and
can call zend_hash_iterator_add(). zend_hash_iterator_add() can resize
the array causing a crash in zend_array_dup_ht_iterators().

We solve this by refetching the iter pointer after an add happened.

Closes GH-16060.
This commit is contained in:
Niels Dossche
2024-09-25 18:51:14 +02:00
parent 68d494d690
commit fdd6ba62bb
3 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.3.13
- Core:
. Fixed bug GH-16054 (Segmentation fault when resizing hash table iterator
list while adding). (nielsdos)
- DOM:
. Fixed bug GH-16039 (Segmentation fault (access null pointer) in
ext/dom/parentnode/tree.c). (nielsdos)

11
Zend/zend_hash.c
View File

@@ -2346,17 +2346,20 @@ static zend_always_inline bool zend_array_dup_element(HashTable *source, HashTab
// We need to duplicate iterators to be able to search through all copy-on-write copies to find the actually iterated HashTable and position back
static void zend_array_dup_ht_iterators(HashTable *source, HashTable *target) {
HashTableIterator *iter = EG(ht_iterators);
HashTableIterator *end = iter + EG(ht_iterators_used);
uint32_t iter_index = 0;
uint32_t end_index = EG(ht_iterators_used);
while (iter != end) {
while (iter_index != end_index) {
HashTableIterator *iter = &EG(ht_iterators)[iter_index];
if (iter->ht == source) {
uint32_t copy_idx = zend_hash_iterator_add(target, iter->pos);
/* Refetch iter because the memory may be reallocated. */
iter = &EG(ht_iterators)[iter_index];
HashTableIterator *copy_iter = EG(ht_iterators) + copy_idx;
copy_iter->next_copy = iter->next_copy;
iter->next_copy = copy_idx;
}
iter++;
iter_index++;
}
}

15
ext/spl/tests/gh16054.phpt Normal file
View File

@@ -0,0 +1,15 @@
--TEST--
GH-16054 (Segmentation fault when resizing hash table iterator list while adding)
--FILE--
<?php
$multi_array = ['zero'];
$multi_array[] =& $multi_array;
$it = new RecursiveTreeIterator(new RecursiveArrayIterator($multi_array), 0);
$counter = 0;
foreach ($it as $k => $v) {
if (++$counter > 200) break;
}
echo "ok\n";
?>
--EXPECT--
ok