|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2008-06-13 00:44 UTC] tstarling at wikimedia dot org
Description:
------------
In PHP 5.2.6 (not selected above because it wasn't in the list), parsekit tries to read memory pointed to by an uninitialised memory location, and so crashes if history of the application is such that that location contains an invalid address.
ops->prototype is not set by init_op_array(), it is only set by zend_do_begin_function_declaration(), so for file-level or eval'd code, this member is invalid.
ops->function_name is set to null by init_op_array(), and to the function name by zend_do_begin_function_declaration(), so the following hack fixes the problem:
Index: parsekit.c
===================================================================
RCS file: /repository/pecl/parsekit/parsekit.c,v
retrieving revision 1.20
diff -u -r1.20 parsekit.c
--- parsekit.c 31 Mar 2008 10:03:54 -0000 1.20
+++ parsekit.c 13 Jun 2008 04:32:12 -0000
@@ -267,7 +267,7 @@
add_assoc_null(return_value, "scope");
}
add_assoc_long(return_value, "fn_flags", ops->fn_flags);
- if (ops->prototype) {
+ if (ops->function_name && ops->prototype) {
MAKE_STD_ZVAL(tmpzval);
array_init(tmpzval);
add_assoc_long(tmpzval, "type", ops->prototype->type);
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 31 12:00:01 2025 UTC |
<?php parsekit_compile_string('foo();'); parsekit_compile_string('foo();'); parsekit_compile_string('foo();'); parsekit_compile_string('foo();'); parsekit_compile_string('foo();'); parsekit_compile_string('foo();'); parsekit_compile_string('foo();'); ?> Works for me. Just about any string will trigger the bug. BTW can I have maintainership? Five months is a long time for a one-line fix.