php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62744 dangling pointers made by zend_disable_class
Submitted: 2012-08-04 02:29 UTC Modified: 2012-08-12 02:33 UTC
From: laruence@php.net Assigned: laruence
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.15 OS:
Private report: No CVE-ID:
 [2012-08-04 02:29 UTC] laruence@php.net
Description:
------------
this bug is found by digging bug #62737

Extensions use zend_register_internal_class to register class, and they often 
preserved the return value and reuse that pointer instead of search in class table 
when that class will be used.

but when user specific disable_classes in php.ini

zend_disable_class will delete the corresponding class entry, then make the 
pointer which is preserved by extension become a wild pointer.

http://lxr.php.net/xref/PHP_5_3/Zend/zend_API.c#2348

Test script:
---------------
similar as #62733

Expected result:
----------------
none

Actual result:
--------------
none

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-04 02:37 UTC] laruence@php.net
-Summary: Wild pointers made by zend_disable_class +Summary: dangling pointers made by zend_disable_class
 [2012-08-04 02:41 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=03a1fcabf31210d3f304bfacf5096ce43c2b8f93
Log: Fixed bug #62744 (dangling pointers made by zend_disable_class)
 [2012-08-04 03:24 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=03a1fcabf31210d3f304bfacf5096ce43c2b8f93
Log: Fixed bug #62744 (dangling pointers made by zend_disable_class)
 [2012-08-04 03:27 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=03a1fcabf31210d3f304bfacf5096ce43c2b8f93
Log: Fixed bug #62744 (dangling pointers made by zend_disable_class)
 [2012-08-11 20:34 UTC] felipe@php.net
Have it been already fixed?
 [2012-08-11 20:34 UTC] felipe@php.net
-Assigned To: +Assigned To: laruence
 [2012-08-12 02:33 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-08-12 02:33 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 04:01:57 2014 UTC