Prevent direct instantiation of com_safearray_proxy #10278
Conversation
|
Needs more work, though. |
The `com_safearray_proxy` class is meant for internal usage, but so far it was possible to instantiate it from userland, although that made no sense. However, a while ago there was a relevant change[1], namely that its `default_object_handlers` are now assigned when the class is registered, while previously they only have been assigned when an instance had been created internally. So now when freeing a manually created object, `free_obj()` is called, although the object never has been properly initialized (causing segfaults). We fix this by introducing a `create_object()` handler which properly initializes the object with dummy values. Since a manually created `com_safearray_proxy` still does not make sense, we disallow its instantiation. [1] <php@94ee4f9>
com_dotnet objects are special, since they still have the `zend_object` as first member, so we need to use a somewhat different initialization.
That was because ASan complained about the new test. To get the latest goodies (such as Windows ASan running in CI ;), I've rebased onto master, and added a commit that fixes the problem. |
| @@ -57,6 +57,14 @@ typedef struct { | |||
|
|
|||
| #define SA_FETCH(zv) (php_com_saproxy*)Z_OBJ_P(zv) | |||
|
|
|||
| zend_object *php_com_saproxy_create_object(zend_class_entry *class_type) | |||
| { | |||
| php_com_saproxy *intern = emalloc(sizeof(*intern)); | |||
There was a problem hiding this comment.
You can use zend_object_alloc which will do the allocation and memset
There was a problem hiding this comment.
That would't zero the last sizeof(zend_object) bytes of the structure, due to com_dotnet objects having the zend_object as first member, not as last, as usual. I'm planning to change this soonish.
There was a problem hiding this comment.
That was the standard struct layout in PHP 5; all bundled extension had been changed for PHP 7, but com_dotnet had been overlooked.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
The
com_safearray_proxyclass is meant for internal usage, but so far it was possible to instantiate it from userland, although that made no sense. However, a while ago there was a relevant change[1], namely that itsdefault_object_handlersare now assigned when the class is registered, while previously they only have been assigned when an instance had been created internally. So now when freeing a manually created object,free_obj()is called, although the object never has been properly initialized (causing segfaults).We fix this by introducing a
create_object()handler which properly initializes the object with dummy values. Since a manually createdcom_safearray_proxystill does not make sense, we disallow its instantiation.[1] 94ee4f9