Skip to content

Commit b025b9d

Browse files
johannesjohannes
committed
Fix #62432 ReflectionMethod random corrupt memory on high concurrent
This fixes the same issue in multiple extensions. This isn't needed in later branches as 5.4 introduced object_properties_init()
1 parent 4662151 commit b025b9d

File tree

21 files changed

+27
-25
lines changed

21 files changed

+27
-25
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ PHP NEWS
1212
. Fixed CVE-2012-2143. (Solar Designer)
1313
. Fixed potential overflow in _php_stream_scandir. (Jason Powell,
1414
Stas)
15+
. Fixed bug #62432 (ReflectionMethod random corrupt memory on high
16+
concurrent). (Johannes)
1517

1618
- Fileinfo:
1719
. Fixed magic file regex support. (Felipe)

ext/date/php_date.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2035,7 +2035,7 @@ static inline zend_object_value date_object_new_date_ex(zend_class_entry *class_
20352035
}
20362036

20372037
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2038-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2038+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
20392039

20402040
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_date, NULL TSRMLS_CC);
20412041
retval.handlers = &date_object_handlers_date;
@@ -2159,7 +2159,7 @@ static inline zend_object_value date_object_new_timezone_ex(zend_class_entry *cl
21592159
}
21602160

21612161
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2162-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2162+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
21632163

21642164
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_timezone, NULL TSRMLS_CC);
21652165
retval.handlers = &date_object_handlers_timezone;
@@ -2215,7 +2215,7 @@ static inline zend_object_value date_object_new_interval_ex(zend_class_entry *cl
22152215
}
22162216

22172217
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2218-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2218+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
22192219

22202220
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_interval, NULL TSRMLS_CC);
22212221
retval.handlers = &date_object_handlers_interval;
@@ -2291,7 +2291,7 @@ static inline zend_object_value date_object_new_period_ex(zend_class_entry *clas
22912291
}
22922292

22932293
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2294-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2294+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
22952295

22962296
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_period, NULL TSRMLS_CC);
22972297
retval.handlers = &date_object_handlers_period;

ext/fileinfo/fileinfo.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ PHP_FILEINFO_API zend_object_value finfo_objects_new(zend_class_entry *class_typ
104104
memset(intern, 0, sizeof(struct finfo_object));
105105

106106
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
107-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *));
107+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *));
108108

109109
intern->ptr = NULL;
110110

ext/pdo/pdo_dbh.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1580,7 +1580,7 @@ zend_object_value pdo_dbh_new(zend_class_entry *ce TSRMLS_DC)
15801580
dbh->refcount = 1;
15811581
ALLOC_HASHTABLE(dbh->properties);
15821582
zend_hash_init(dbh->properties, 0, NULL, ZVAL_PTR_DTOR, 0);
1583-
zend_hash_copy(dbh->properties, &ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
1583+
zend_hash_copy(dbh->properties, &ce->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
15841584
dbh->def_stmt_ce = pdo_dbstmt_ce;
15851585

15861586
retval.handle = zend_objects_store_put(dbh, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbh_free_storage, NULL TSRMLS_CC);

ext/pdo/pdo_stmt.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2466,7 +2466,7 @@ zend_object_value pdo_dbstmt_new(zend_class_entry *ce TSRMLS_DC)
24662466
stmt->refcount = 1;
24672467
ALLOC_HASHTABLE(stmt->properties);
24682468
zend_hash_init(stmt->properties, 0, NULL, ZVAL_PTR_DTOR, 0);
2469-
zend_hash_copy(stmt->properties, &ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2469+
zend_hash_copy(stmt->properties, &ce->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
24702470

24712471
retval.handle = zend_objects_store_put(stmt, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbstmt_free_storage, (zend_objects_store_clone_t)dbstmt_clone_obj TSRMLS_CC);
24722472
retval.handlers = &pdo_dbstmt_object_handlers;

ext/reflection/php_reflection.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -314,7 +314,7 @@ static zend_object_value reflection_objects_new(zend_class_entry *class_type TSR
314314
intern->zo.ce = class_type;
315315

316316
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
317-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
317+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
318318
retval.handle = zend_objects_store_put(intern, NULL, reflection_free_objects_storage, NULL TSRMLS_CC);
319319
retval.handlers = &reflection_object_handlers;
320320
return retval;

ext/soap/soap.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1265,7 +1265,7 @@ PHP_METHOD(SoapServer, SoapServer)
12651265

12661266
ALLOC_HASHTABLE(service->class_map);
12671267
zend_hash_init(service->class_map, zend_hash_num_elements((*tmp)->value.ht), NULL, ZVAL_PTR_DTOR, 0);
1268-
zend_hash_copy(service->class_map, (*tmp)->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &ztmp, sizeof(zval *));
1268+
zend_hash_copy(service->class_map, (*tmp)->value.ht, (copy_ctor_func_t) zval_property_ctor, (void *) &ztmp, sizeof(zval *));
12691269
}
12701270

12711271
if (zend_hash_find(ht, "typemap", sizeof("typemap"), (void**)&tmp) == SUCCESS &&

ext/spl/spl_array.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ static zend_object_value spl_array_object_new_ex(zend_class_entry *class_type, s
174174
ALLOC_INIT_ZVAL(intern->retval);
175175

176176
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
177-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
177+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
178178

179179
intern->ar_flags = 0;
180180
intern->serialize_data = NULL;

ext/spl/spl_directory.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@ static zend_object_value spl_filesystem_object_new_ex(zend_class_entry *class_ty
158158
if (obj) *obj = intern;
159159

160160
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
161-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
161+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
162162

163163
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t) zend_objects_destroy_object, (zend_objects_free_object_storage_t) spl_filesystem_object_free_storage, NULL TSRMLS_CC);
164164
retval.handlers = &spl_filesystem_object_handlers;

ext/spl/spl_dllist.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -376,7 +376,7 @@ static zend_object_value spl_dllist_object_new_ex(zend_class_entry *class_type,
376376
ALLOC_INIT_ZVAL(intern->retval);
377377

378378
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
379-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
379+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
380380

381381
intern->flags = 0;
382382
intern->traverse_position = 0;

0 commit comments

Comments
 (0)