Skip to content

Commit b025b9d

Browse files
johannesjohannes
committed
Fix #62432 ReflectionMethod random corrupt memory on high concurrent
This fixes the same issue in multiple extensions. This isn't needed in later branches as 5.4 introduced object_properties_init()
1 parent 4662151 commit b025b9d

File tree

21 files changed

+27
-25
lines changed

21 files changed

+27
-25
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ PHP NEWS
1212
. Fixed CVE-2012-2143. (Solar Designer)
1313
. Fixed potential overflow in _php_stream_scandir. (Jason Powell,
1414
Stas)
15+
. Fixed bug #62432 (ReflectionMethod random corrupt memory on high
16+
concurrent). (Johannes)
1517

1618
- Fileinfo:
1719
. Fixed magic file regex support. (Felipe)

ext/date/php_date.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2035,7 +2035,7 @@ static inline zend_object_value date_object_new_date_ex(zend_class_entry *class_
20352035
}
20362036

20372037
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2038-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2038+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
20392039

20402040
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_date, NULL TSRMLS_CC);
20412041
retval.handlers = &date_object_handlers_date;
@@ -2159,7 +2159,7 @@ static inline zend_object_value date_object_new_timezone_ex(zend_class_entry *cl
21592159
}
21602160

21612161
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2162-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2162+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
21632163

21642164
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_timezone, NULL TSRMLS_CC);
21652165
retval.handlers = &date_object_handlers_timezone;
@@ -2215,7 +2215,7 @@ static inline zend_object_value date_object_new_interval_ex(zend_class_entry *cl
22152215
}
22162216

22172217
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2218-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2218+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
22192219

22202220
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_interval, NULL TSRMLS_CC);
22212221
retval.handlers = &date_object_handlers_interval;
@@ -2291,7 +2291,7 @@ static inline zend_object_value date_object_new_period_ex(zend_class_entry *clas
22912291
}
22922292

22932293
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
2294-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2294+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
22952295

22962296
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) date_object_free_storage_period, NULL TSRMLS_CC);
22972297
retval.handlers = &date_object_handlers_period;

ext/fileinfo/fileinfo.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ PHP_FILEINFO_API zend_object_value finfo_objects_new(zend_class_entry *class_typ
104104
memset(intern, 0, sizeof(struct finfo_object));
105105

106106
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
107-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *));
107+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *));
108108

109109
intern->ptr = NULL;
110110

ext/pdo/pdo_dbh.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1580,7 +1580,7 @@ zend_object_value pdo_dbh_new(zend_class_entry *ce TSRMLS_DC)
15801580
dbh->refcount = 1;
15811581
ALLOC_HASHTABLE(dbh->properties);
15821582
zend_hash_init(dbh->properties, 0, NULL, ZVAL_PTR_DTOR, 0);
1583-
zend_hash_copy(dbh->properties, &ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
1583+
zend_hash_copy(dbh->properties, &ce->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
15841584
dbh->def_stmt_ce = pdo_dbstmt_ce;
15851585

15861586
retval.handle = zend_objects_store_put(dbh, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbh_free_storage, NULL TSRMLS_CC);

ext/pdo/pdo_stmt.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2466,7 +2466,7 @@ zend_object_value pdo_dbstmt_new(zend_class_entry *ce TSRMLS_DC)
24662466
stmt->refcount = 1;
24672467
ALLOC_HASHTABLE(stmt->properties);
24682468
zend_hash_init(stmt->properties, 0, NULL, ZVAL_PTR_DTOR, 0);
2469-
zend_hash_copy(stmt->properties, &ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
2469+
zend_hash_copy(stmt->properties, &ce->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
24702470

24712471
retval.handle = zend_objects_store_put(stmt, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbstmt_free_storage, (zend_objects_store_clone_t)dbstmt_clone_obj TSRMLS_CC);
24722472
retval.handlers = &pdo_dbstmt_object_handlers;

ext/reflection/php_reflection.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -314,7 +314,7 @@ static zend_object_value reflection_objects_new(zend_class_entry *class_type TSR
314314
intern->zo.ce = class_type;
315315

316316
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
317-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
317+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
318318
retval.handle = zend_objects_store_put(intern, NULL, reflection_free_objects_storage, NULL TSRMLS_CC);
319319
retval.handlers = &reflection_object_handlers;
320320
return retval;

ext/soap/soap.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1265,7 +1265,7 @@ PHP_METHOD(SoapServer, SoapServer)
12651265

12661266
ALLOC_HASHTABLE(service->class_map);
12671267
zend_hash_init(service->class_map, zend_hash_num_elements((*tmp)->value.ht), NULL, ZVAL_PTR_DTOR, 0);
1268-
zend_hash_copy(service->class_map, (*tmp)->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &ztmp, sizeof(zval *));
1268+
zend_hash_copy(service->class_map, (*tmp)->value.ht, (copy_ctor_func_t) zval_property_ctor, (void *) &ztmp, sizeof(zval *));
12691269
}
12701270

12711271
if (zend_hash_find(ht, "typemap", sizeof("typemap"), (void**)&tmp) == SUCCESS &&

ext/spl/spl_array.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ static zend_object_value spl_array_object_new_ex(zend_class_entry *class_type, s
174174
ALLOC_INIT_ZVAL(intern->retval);
175175

176176
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
177-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
177+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
178178

179179
intern->ar_flags = 0;
180180
intern->serialize_data = NULL;

ext/spl/spl_directory.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@ static zend_object_value spl_filesystem_object_new_ex(zend_class_entry *class_ty
158158
if (obj) *obj = intern;
159159

160160
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
161-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
161+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
162162

163163
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t) zend_objects_destroy_object, (zend_objects_free_object_storage_t) spl_filesystem_object_free_storage, NULL TSRMLS_CC);
164164
retval.handlers = &spl_filesystem_object_handlers;

ext/spl/spl_dllist.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -376,7 +376,7 @@ static zend_object_value spl_dllist_object_new_ex(zend_class_entry *class_type,
376376
ALLOC_INIT_ZVAL(intern->retval);
377377

378378
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
379-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
379+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
380380

381381
intern->flags = 0;
382382
intern->traverse_position = 0;

ext/spl/spl_fixedarray.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -215,7 +215,7 @@ static zend_object_value spl_fixedarray_object_new_ex(zend_class_entry *class_ty
215215
ALLOC_INIT_ZVAL(intern->retval);
216216

217217
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
218-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
218+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
219219

220220
intern->current = 0;
221221
intern->flags = 0;

ext/spl/spl_heap.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -394,7 +394,7 @@ static zend_object_value spl_heap_object_new_ex(zend_class_entry *class_type, sp
394394
ALLOC_INIT_ZVAL(intern->retval);
395395

396396
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
397-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
397+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
398398

399399
intern->flags = 0;
400400
intern->fptr_cmp = NULL;

ext/spl/spl_iterators.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -921,7 +921,7 @@ static zend_object_value spl_RecursiveIteratorIterator_new_ex(zend_class_entry *
921921
}
922922

923923
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
924-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
924+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
925925

926926
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)spl_RecursiveIteratorIterator_dtor, (zend_objects_free_object_storage_t) spl_RecursiveIteratorIterator_free_storage, NULL TSRMLS_CC);
927927
retval.handlers = &spl_handlers_rec_it_it;

ext/spl/spl_observer.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -206,7 +206,7 @@ static zend_object_value spl_object_storage_new_ex(zend_class_entry *class_type,
206206
*obj = intern;
207207

208208
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
209-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
209+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
210210

211211
zend_hash_init(&intern->storage, 0, NULL, (void (*)(void *))spl_object_storage_dtor, 0);
212212

ext/sqlite/sqlite.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1166,7 +1166,7 @@ static void sqlite_object_new(zend_class_entry *class_type, zend_object_handlers
11661166
memset(intern, 0, sizeof(sqlite_object));
11671167

11681168
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
1169-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
1169+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
11701170

11711171
retval->handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) sqlite_object_free_storage, NULL TSRMLS_CC);
11721172
retval->handlers = handlers;

ext/sqlite3/sqlite3.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2134,7 +2134,7 @@ static zend_object_value php_sqlite3_object_new(zend_class_entry *class_type TSR
21342134
zend_llist_init(&(intern->free_list), sizeof(php_sqlite3_free_list *), (llist_dtor_func_t)php_sqlite3_free_list_dtor, 0);
21352135

21362136
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
2137-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *));
2137+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *));
21382138

21392139
retval.handle = zend_objects_store_put(intern, NULL, (zend_objects_free_object_storage_t) php_sqlite3_object_free_storage, NULL TSRMLS_CC);
21402140
retval.handlers = (zend_object_handlers *) &sqlite3_object_handlers;
@@ -2156,7 +2156,7 @@ static zend_object_value php_sqlite3_stmt_object_new(zend_class_entry *class_typ
21562156
intern->db_obj_zval = NULL;
21572157

21582158
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
2159-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *));
2159+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *));
21602160

21612161
retval.handle = zend_objects_store_put(intern, NULL, (zend_objects_free_object_storage_t) php_sqlite3_stmt_object_free_storage, NULL TSRMLS_CC);
21622162
retval.handlers = (zend_object_handlers *) &sqlite3_stmt_object_handlers;
@@ -2180,7 +2180,7 @@ static zend_object_value php_sqlite3_result_object_new(zend_class_entry *class_t
21802180
intern->stmt_obj_zval = NULL;
21812181

21822182
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
2183-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,(void *) &tmp, sizeof(zval *));
2183+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,(void *) &tmp, sizeof(zval *));
21842184

21852185
retval.handle = zend_objects_store_put(intern, NULL, (zend_objects_free_object_storage_t) php_sqlite3_result_object_free_storage, NULL TSRMLS_CC);
21862186
retval.handlers = (zend_object_handlers *) &sqlite3_result_object_handlers;

ext/tidy/tidy.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -687,7 +687,7 @@ static void tidy_object_new(zend_class_entry *class_type, zend_object_handlers *
687687
memset(intern, 0, sizeof(PHPTidyObj));
688688
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
689689

690-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
690+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
691691

692692
switch(objtype) {
693693
case is_node:

ext/xmlreader/php_xmlreader.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -401,7 +401,7 @@ zend_object_value xmlreader_objects_new(zend_class_entry *class_type TSRMLS_DC)
401401
intern->prop_handler = &xmlreader_prop_handlers;
402402

403403
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
404-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
404+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
405405
retval.handle = zend_objects_store_put(intern, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t) xmlreader_objects_free_storage, xmlreader_objects_clone TSRMLS_CC);
406406
intern->handle = retval.handle;
407407
retval.handlers = &xmlreader_object_handlers;

ext/xmlwriter/php_xmlwriter.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -151,7 +151,7 @@ static zend_object_value xmlwriter_object_new(zend_class_entry *class_type TSRML
151151
intern->xmlwriter_ptr = NULL;
152152

153153
zend_object_std_init(&intern->zo, class_type TSRMLS_CC);
154-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,
154+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,
155155
(void *) &tmp, sizeof(zval *));
156156

157157
retval.handle = zend_objects_store_put(intern,

ext/xsl/php_xsl.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ zend_object_value xsl_objects_new(zend_class_entry *class_type TSRMLS_DC)
129129
intern->profiling = NULL;
130130

131131
zend_object_std_init(&intern->std, class_type TSRMLS_CC);
132-
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
132+
zend_hash_copy(intern->std.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor, (void *) &tmp, sizeof(zval *));
133133
ALLOC_HASHTABLE(intern->parameter);
134134
zend_hash_init(intern->parameter, 0, NULL, ZVAL_PTR_DTOR, 0);
135135
ALLOC_HASHTABLE(intern->registered_phpfunctions);

ext/zip/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1104,7 +1104,7 @@ static zend_object_value php_zip_object_new(zend_class_entry *class_type TSRMLS_
11041104
intern->zo.ce = class_type;
11051105
#endif
11061106

1107-
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref,
1107+
zend_hash_copy(intern->zo.properties, &class_type->default_properties, (copy_ctor_func_t) zval_property_ctor,
11081108
(void *) &tmp, sizeof(zval *));
11091109

11101110
retval.handle = zend_objects_store_put(intern,

0 commit comments

Comments
 (0)