|
 |
e9ca13 |
From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
|
|
|
e9ca13 |
From: Xinchen Hui <laruence@php.net>
|
|
|
e9ca13 |
Date: Wed, 2 Jul 2014 17:45:09 +0800
|
|
|
e9ca13 |
Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)
|
|
|
e9ca13 |
|
|
|
e9ca13 |
---
|
|
|
e9ca13 |
NEWS | 3 +++
|
|
|
e9ca13 |
ext/spl/spl_dllist.c | 7 +++++--
|
|
|
e9ca13 |
ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
|
|
|
e9ca13 |
3 files changed, 25 insertions(+), 2 deletions(-)
|
|
|
e9ca13 |
create mode 100644 ext/spl/tests/bug67538.phpt
|
|
|
e9ca13 |
|
|
|
e9ca13 |
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
|
|
|
e9ca13 |
index 39a0733..0b44d41 100644
|
|
|
e9ca13 |
--- a/ext/spl/spl_dllist.c
|
|
|
e9ca13 |
+++ b/ext/spl/spl_dllist.c
|
|
|
e9ca13 |
@@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
|
|
|
e9ca13 |
|
|
|
e9ca13 |
#define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
|
|
|
e9ca13 |
efree(elem); \
|
|
|
e9ca13 |
- elem = NULL; \
|
|
|
e9ca13 |
}
|
|
|
e9ca13 |
|
|
|
e9ca13 |
#define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
|
|
|
e9ca13 |
efree(elem); \
|
|
|
e9ca13 |
- elem = NULL; \
|
|
|
e9ca13 |
}
|
|
|
e9ca13 |
|
|
|
e9ca13 |
#define SPL_LLIST_ADDREF(elem) (elem)->rc++
|
|
|
e9ca13 |
@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
|
|
|
e9ca13 |
llist->dtor(element TSRMLS_CC);
|
|
|
e9ca13 |
}
|
|
|
e9ca13 |
|
|
|
e9ca13 |
+ if (intern->traverse_pointer == element) {
|
|
|
e9ca13 |
+ SPL_LLIST_DELREF(element);
|
|
|
e9ca13 |
+ intern->traverse_pointer = NULL;
|
|
|
e9ca13 |
+ }
|
|
|
e9ca13 |
+
|
|
|
e9ca13 |
zval_ptr_dtor((zval **)&element->data);
|
|
|
e9ca13 |
element->data = NULL;
|
|
|
e9ca13 |
|
|
|
e9ca13 |
diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
|
|
|
e9ca13 |
new file mode 100644
|
|
|
e9ca13 |
index 0000000..b6f3848
|
|
|
e9ca13 |
--- /dev/null
|
|
|
e9ca13 |
+++ b/ext/spl/tests/bug67538.phpt
|
|
|
e9ca13 |
@@ -0,0 +1,17 @@
|
|
|
e9ca13 |
+--TEST--
|
|
|
e9ca13 |
+Bug #67538 (SPL Iterators use-after-free)
|
|
|
e9ca13 |
+--FILE--
|
|
|
e9ca13 |
+
|
|
|
e9ca13 |
+$list = new SplDoublyLinkedList();
|
|
|
e9ca13 |
+$list->push('a');
|
|
|
e9ca13 |
+$list->push('b');
|
|
|
e9ca13 |
+
|
|
|
e9ca13 |
+$list->rewind();
|
|
|
e9ca13 |
+$list->offsetUnset(0);
|
|
|
e9ca13 |
+$list->push('b');
|
|
|
e9ca13 |
+$list->offsetUnset(0);
|
|
|
e9ca13 |
+$list->next();
|
|
|
e9ca13 |
+echo "okey";
|
|
|
e9ca13 |
+?>
|
|
|
e9ca13 |
+--EXPECTF--
|
|
|
e9ca13 |
+okey
|
|
|
e9ca13 |
--
|
|
|
e9ca13 |
1.9.2
|
|
|
e9ca13 |
|