From 97ba84bb4dd772e7a6a6261bf9e19b00848b649d Mon Sep 17 00:00:00 2001 From: CHU Zhaowei Date: Wed, 19 Dec 2018 23:53:48 +0800 Subject: [PATCH 1/3] fix #77298 segfault occurs when add property to unserialized empty ArrayObject --- ext/spl/spl_array.c | 1 + ext/spl/tests/bug77298.phpt | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 ext/spl/tests/bug77298.phpt diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 63345e6e331d8..bcc2ba82ca6c5 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -91,6 +91,7 @@ static inline HashTable **spl_array_get_hash_table_ptr(spl_array_object* intern) spl_array_object *other = Z_SPLARRAY_P(&intern->array); return spl_array_get_hash_table_ptr(other); } else if (Z_TYPE(intern->array) == IS_ARRAY) { + SEPARATE_ARRAY(&intern->array); return &Z_ARRVAL(intern->array); } else { zend_object *obj = Z_OBJ(intern->array); diff --git a/ext/spl/tests/bug77298.phpt b/ext/spl/tests/bug77298.phpt new file mode 100644 index 0000000000000..b1b9a37bdae6f --- /dev/null +++ b/ext/spl/tests/bug77298.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #77298 segfault occurs when add property to unserialized ArrayObject +--FILE-- + + array(1) { + [1]=> + int(123) + } +} \ No newline at end of file From 87142746cc82365203c4d2bbebb0f48161702031 Mon Sep 17 00:00:00 2001 From: CHU Zhaowei Date: Thu, 20 Dec 2018 01:58:23 +0800 Subject: [PATCH 2/3] another attemp to fix it --- ext/spl/spl_array.c | 2 +- ext/spl/tests/bug77298.phpt | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index bcc2ba82ca6c5..adfdd51ddffda 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -91,7 +91,6 @@ static inline HashTable **spl_array_get_hash_table_ptr(spl_array_object* intern) spl_array_object *other = Z_SPLARRAY_P(&intern->array); return spl_array_get_hash_table_ptr(other); } else if (Z_TYPE(intern->array) == IS_ARRAY) { - SEPARATE_ARRAY(&intern->array); return &Z_ARRVAL(intern->array); } else { zend_object *obj = Z_OBJ(intern->array); @@ -1844,6 +1843,7 @@ SPL_METHOD(Array, unserialize) if (Z_TYPE_P(array) == IS_ARRAY) { zval_ptr_dtor(&intern->array); ZVAL_COPY(&intern->array, array); + SEPARATE_ARRAY(&intern->array); } else { spl_array_set_array(object, intern, array, 0L, 1); } diff --git a/ext/spl/tests/bug77298.phpt b/ext/spl/tests/bug77298.phpt index b1b9a37bdae6f..f88c5a241181e 100644 --- a/ext/spl/tests/bug77298.phpt +++ b/ext/spl/tests/bug77298.phpt @@ -6,6 +6,11 @@ $o = new ArrayObject(); $o2 = unserialize(serialize($o)); $o2[1]=123; var_dump($o2); + +$o3 = new ArrayObject(); +$o3->unserialize($o->serialize()); +$o3['xm']=456; +var_dump($o3); --EXPECT-- object(ArrayObject)#2 (1) { ["storage":"ArrayObject":private]=> @@ -13,4 +18,11 @@ object(ArrayObject)#2 (1) { [1]=> int(123) } +} +object(ArrayObject)#3 (1) { + ["storage":"ArrayObject":private]=> + array(1) { + ["xm"]=> + int(456) + } } \ No newline at end of file From 74633b882632792dfdf3874b35763c4c9b88f883 Mon Sep 17 00:00:00 2001 From: CHU Zhaowei Date: Thu, 20 Dec 2018 02:27:28 +0800 Subject: [PATCH 3/3] a more elegant way --- ext/spl/spl_array.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index adfdd51ddffda..9b11782147522 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1842,7 +1842,8 @@ SPL_METHOD(Array, unserialize) if (Z_TYPE_P(array) == IS_ARRAY) { zval_ptr_dtor(&intern->array); - ZVAL_COPY(&intern->array, array); + ZVAL_COPY_VALUE(&intern->array, array); + ZVAL_NULL(array); SEPARATE_ARRAY(&intern->array); } else { spl_array_set_array(object, intern, array, 0L, 1);