Hi Marcus,
Your fix didn't work.
Probably it fixed crash without zend memory manager, but real error occurs
before control is reached your fix.
I had SIGSEGV with your fix.
The problem is:
$xml->bla-props[0]->name = 0;
For nonexisting element "props" simplexml returns NULL with refcount == 0;
Then ZE trying to assign dimension into it;
It converts NULL into array;
inserts uninitialized zval into it (for index 0);
stores zval** for next opcode
Then it destroys array, because refcount is 0 (this 0 comes from simplexml)
Next opcode crashes because stored zval** is destroyed together with array.
This bug must be fixed in ext/simplexml.
It must care about "type" argument of read_property() callback and implement
implicit element/attribute creation or prohibit it.
ZE cannot handle such assignment automatic. (It uses get_zval_ptr_ptr() for
that, but simplexml doesn't define it).
Marcus, I don't think the fact that I rejected your patch is a good reason
to re-assign this bug to me.
I am not a simplexml maintainer and don't know a lot about it internals.
Thanks. Dmitry.
> -----Original Message-----
> From: Marcus Boerger [mailto:helly@xxxxxxx]
> Sent: Monday, December 26, 2005 2:07 PM
> To: Dmitry Stogov
> Cc: zend-engine-cvs@xxxxxxxxxxxxx
> Subject: Re: [ZEND-ENGINE-CVS] cvs: ZendEngine2(PHP_5_1) /
> zend_execute.c php-src NEWS
>
>
> Hello Dmitry,
>
> why did you revert this fix?
>
> marcus
>
> Monday, December 26, 2005, 9:18:38 AM, you wrote:
>
> > dmitry Mon Dec 26 08:18:38 2005 EDT
>
> > Modified files: (Branch: PHP_5_1)
> > /php-src NEWS
> > /ZendEngine2 zend_execute.c
> > Log:
> > Reverted invalid fix for bug #35785
> >
> >
> >
> http://cvs.php.net/viewcvs.cgi/php-src/NEWS?r1=1.2027.2.324&r2=1.2027.
> > 2.325&diff_format=u
> > Index: php-src/NEWS
> > diff -u php-src/NEWS:1.2027.2.324 php-src/NEWS:1.2027.2.325
> > --- php-src/NEWS:1.2027.2.324 Mon Dec 26 00:59:32 2005
> > +++ php-src/NEWS Mon Dec 26 08:18:37 2005
> > @@ -3,7 +3,6 @@
> > ?? Jan 2006, PHP 5.1.2RC2
> > - Fixed small leak in mysqli_stmt_fetch() when bound
> variable was empty
> > string. (Andrey)
> > -- Fixed bug #35785 (SimpleXML causes memory read error
> zend engine).
> > (Marcus)
> > - Fixed bug #35781 (stream_filter_append() can cause
> segfault). (Tony)
> > - Fixed bug #35759 (mysqli_stmt_bind_result() makes huge
> allocation when
> > column empty). (Andrey)
> >
> http://cvs.php.net/viewcvs.cgi/ZendEngine2/zend_execute.c?r1=1
.716.2.8&r2=1.716.2.9&diff_format=u
> Index: ZendEngine2/zend_execute.c
> diff -u ZendEngine2/zend_execute.c:1.716.2.8
ZendEngine2/zend_execute.c:1.716.2.9
> --- ZendEngine2/zend_execute.c:1.716.2.8 Fri Dec 23 20:32:15 2005
> +++ ZendEngine2/zend_execute.c Mon Dec 26 08:18:38 2005
> @@ -17,7 +17,7 @@
>
> +----------------------------------------------------------------------+
> */
>
> -/* $Id: zend_execute.c,v 1.716.2.8 2005/12/23 20:32:15 helly Exp $ */
> +/* $Id: zend_execute.c,v 1.716.2.9 2005/12/26 08:18:38 dmitry Exp $
> +*/
>
> #define ZEND_INTENSIVE_DEBUGGING 0
>
> @@ -548,7 +548,7 @@
> make_real_object(object_ptr TSRMLS_CC); /* this should modify
object only if it's empty */
> object = *object_ptr;
>
> - if (!object || object->type != IS_OBJECT || (opcode ==
> ZEND_ASSIGN_OBJ && !Z_OBJ_HT_P(object)->write_property)) {
> + if (object->type != IS_OBJECT || (opcode == ZEND_ASSIGN_OBJ &&
> !Z_OBJ_HT_P(object)->write_property)) {
> zend_error(E_WARNING, "Attempt to assign property of
non-object");
> FREE_OP(free_op2);
> if (!RETURN_VALUE_UNUSED(result)) {
Best regards,
Marcus
--
Zend Engine CVS Mailing List (http://cvs.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Zend Engine CVS Mailing List (http://cvs.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
|
