Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2:Test
php5
php-5.3.3-CVE-2010-4697.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.3.3-CVE-2010-4697.patch of Package php5
Index: Zend/zend_object_handlers.c =================================================================== --- Zend/zend_object_handlers.c.orig +++ Zend/zend_object_handlers.c @@ -347,6 +347,9 @@ zval *zend_std_read_property(zval *objec !guard->in_get) { /* have getter - try with it! */ Z_ADDREF_P(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_get = 1; /* prevent circular getting */ rv = zend_std_call_getter(object, member TSRMLS_CC); guard->in_get = 0; @@ -436,22 +439,22 @@ static void zend_std_write_property(zval } } } else { - int setter_done = 0; zend_guard *guard; if (zobj->ce->__set && zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && !guard->in_set) { Z_ADDREF_P(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_set = 1; /* prevent circular setting */ if (zend_std_call_setter(object, member, value TSRMLS_CC) != SUCCESS) { /* for now, just ignore it - __set should take care of warnings, etc. */ } - setter_done = 1; guard->in_set = 0; zval_ptr_dtor(&object); - } - if (!setter_done && property_info) { + } else if (property_info) { zval **foo; /* if we assign referenced variable, we should separate it */ @@ -626,6 +629,9 @@ static void zend_std_unset_property(zval !guard->in_unset) { /* have unseter - try with it! */ Z_ADDREF_P(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_unset = 1; /* prevent circular unsetting */ zend_std_call_unsetter(object, member TSRMLS_CC); guard->in_unset = 0; @@ -1144,6 +1150,9 @@ static int zend_std_has_property(zval *o /* have issetter - try with it! */ Z_ADDREF_P(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_isset = 1; /* prevent circular getting */ rv = zend_std_call_issetter(object, member TSRMLS_CC); if (rv) { Index: Zend/tests/bug52879.phpt =================================================================== --- /dev/null +++ Zend/tests/bug52879.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early) +--FILE-- +<?php +class MyClass { + public $myRef; + public function __set($property,$value) { + $this->myRef = $value; + } +} +$myGlobal=new MyClass($myGlobal); +$myGlobal->myRef=&$myGlobal; +$myGlobal->myNonExistentProperty="ok\n"; +echo $myGlobal; +--EXPECT-- +ok +
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor