Dmitry: you might want to review this fix. let me explain why crash before this fix.
when doing parse_parameter, then convert the object to string by calling the ce->cast_object, and passed the same pointer(although there was a separation), to the cast_object.. then if __toString method stash $this somewhere, after the parameters clean up, the $this pointer will be impending.. then in the next loop, the return_value will happen used the same adress,, then balalala, cause the segfault.. sorry for my poor english, and hope I have made myself clearly, if there is any question , plz write me. thanks On Sat, Feb 25, 2012 at 12:36 PM, Xinchen Hui <larue...@php.net> wrote: > laruence Sat, 25 Feb 2012 04:36:08 +0000 > > Revision: http://svn.php.net/viewvc?view=revision&revision=323489 > > Log: > Fixed bug #61165 (Segfault - strip_tags()) > > Bug: https://bugs.php.net/61165 (Assigned) Segfault - strip_tags() > > Changed paths: > U php/php-src/branches/PHP_5_3/NEWS > U php/php-src/branches/PHP_5_3/Zend/zend_API.c > U php/php-src/trunk/NEWS > U php/php-src/trunk/Zend/zend_API.c > > Modified: php/php-src/branches/PHP_5_3/NEWS > =================================================================== > --- php/php-src/branches/PHP_5_3/NEWS 2012-02-25 03:19:27 UTC (rev 323488) > +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-25 04:36:08 UTC (rev 323489) > @@ -3,6 +3,7 @@ > ?? ??? 2012, PHP 5.3.11 > > - Core: > + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) > . Improved max_input_vars directive to check nested variables (Dmitry). > . Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne) > . Fixed bug #61072 (Memory leak when restoring an exception handler). > > Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c > =================================================================== > --- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 03:19:27 > UTC (rev 323488) > +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2012-02-25 04:36:08 > UTC (rev 323489) > @@ -254,10 +254,15 @@ > static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ > { > if (Z_OBJ_HANDLER_PP(arg, cast_object)) { > - SEPARATE_ZVAL_IF_NOT_REF(arg); > - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING > TSRMLS_CC) == SUCCESS) { > + zval *obj; > + ALLOC_ZVAL(obj); > + MAKE_COPY_ZVAL(arg, obj); > + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, IS_STRING > TSRMLS_CC) == SUCCESS) { > + zval_ptr_dtor(arg); > + *arg = obj; > return SUCCESS; > } > + zval_ptr_dtor(&obj); > } > /* Standard PHP objects */ > if (Z_OBJ_HT_PP(arg) == &std_object_handlers || !Z_OBJ_HANDLER_PP(arg, > cast_object)) { > > Modified: php/php-src/trunk/NEWS > =================================================================== > --- php/php-src/trunk/NEWS 2012-02-25 03:19:27 UTC (rev 323488) > +++ php/php-src/trunk/NEWS 2012-02-25 04:36:08 UTC (rev 323489) > @@ -6,6 +6,7 @@ > . World domination > > - Core: > + . Fixed bug #61165 (Segfault - strip_tags()). (Laruence) > . Fixed bug #61072 (Memory leak when restoring an exception handler). > (Nikic, Laruence) > . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical > > Modified: php/php-src/trunk/Zend/zend_API.c > =================================================================== > --- php/php-src/trunk/Zend/zend_API.c 2012-02-25 03:19:27 UTC (rev 323488) > +++ php/php-src/trunk/Zend/zend_API.c 2012-02-25 04:36:08 UTC (rev 323489) > @@ -262,12 +262,17 @@ > static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int > type TSRMLS_DC) /* {{{ */ > { > if (Z_OBJ_HANDLER_PP(arg, cast_object)) { > - SEPARATE_ZVAL_IF_NOT_REF(arg); > - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type > TSRMLS_CC) == SUCCESS) { > + zval *obj; > + ALLOC_ZVAL(obj); > + MAKE_COPY_ZVAL(arg, obj); > + if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type > TSRMLS_CC) == SUCCESS) { > + zval_ptr_dtor(arg); > + *arg = obj; > *pl = Z_STRLEN_PP(arg); > *p = Z_STRVAL_PP(arg); > return SUCCESS; > } > + zval_ptr_dtor(&obj); > } > /* Standard PHP objects */ > if (Z_OBJ_HT_PP(arg) == &std_object_handlers || !Z_OBJ_HANDLER_PP(arg, > cast_object)) { > > > -- > PHP CVS Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
