|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesbug61649.patch (last revision 2012-04-06 12:18 UTC by laruence@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2012-04-06 12:18 UTC] laruence@php.net
[2012-04-06 12:22 UTC] laruence@php.net
[2012-04-06 12:22 UTC] laruence@php.net
-Assigned To:
+Assigned To: dmitry
[2012-04-09 13:58 UTC] laruence@php.net
-Status: Assigned
+Status: Wont fix
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Apr 30 03:01:27 2025 UTC |
Description: ------------ zend gc was introducted in 5.3 thinking of a zval which is a Hashtable allocated by a extension in persistent, and it also has hashtable children in it, then , if the extension return this to php script: array_init(return_value); zend_hash_copy(Z_ARRVAL_P(return_value), Z_ARRVAL_P(persitent_zval_hashtable), ***).. since zval_copy_ctor does shallow copy, so the persistent array return to the php script. then if it happen to be parsed by zval_ptr_dtor, then the persistent array will be parsed by gc_zval_possible_root, ZEND_API void gc_zval_possible_root(zval *zv TSRMLS_DC) { .................. if (GC_ZVAL_GET_COLOR(zv) != GC_PURPLE) { GC_ZVAL_SET_PURPLE(zv); .................. then the malloc info of the block(not sure before or after) will be polluted. then when the extension try to free the block, a warning will be show like: munmap_chunk(): invalid pointer 0x******* Test script: --------------- none Expected result: ---------------- none Actual result: -------------- none