php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70863 Incorect logic to increment_function for proxy objects
Submitted: 2015-11-05 19:35 UTC Modified: 2015-11-09 23:45 UTC
From: jsoumelidis at gmail dot com Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0RC6 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jsoumelidis at gmail dot com
New email:
PHP Version: OS:

 

 [2015-11-05 19:35 UTC] jsoumelidis at gmail dot com 
Description:
------------
Assume you have a (custom) proxy object that one wants to increment it's value ($obj++).
If get/set object handlers are defined for this object, the "increment_function" requests a zval* from the get handler in order to icrement it's value and assign it back to the proxy object through the set handler.
The problem is that the increment_function executes a Z_ADDREF_P on the returned zval* from the get handler which crashes the proccess in case the returned pointer  is not a refcounted zval.
File: zend_operators.c Line: 2280

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-06 22:11 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8155ecba61a9c724c7b2bdeb673602ae27923d71
Log: Fixed bug #70863 Incorect logic to increment_function for proxy objects
 [2015-11-06 22:11 UTC] ab@php.net
-Status: Open +Status: Closed
 [2015-11-07 13:29 UTC] jsoumelidis at gmail dot com 
Same fix should be applied to functions "ZEND_TRY_BINARY_OP1_OBJECT_OPERATION" (zend_operators.h:760) and "decrement_function" (zend_operators.c:2348)
 [2015-11-09 18:12 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68910e314ff62bd9f326cc11a48bfd65e5a32220
Log: Fixed bug #70863 Incorect logic to increment_function for proxy objects
 [2015-11-09 23:45 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2015-11-09 23:45 UTC] ab@php.net 
Yeah, the decrement function was already done, thanks for the other catch, done in a3f1154b3d95aa9508cef19102ad553fed4f9189.

Thanks.
 [2016-07-20 11:35 UTC] davey@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8155ecba61a9c724c7b2bdeb673602ae27923d71
Log: Fixed bug #70863 Incorect logic to increment_function for proxy objects
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC