php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch 63882.patch for Reproducible crash Bug #63882

Patch version 2013-01-02 18:53 UTC

Return to Bug #63882 | Download this patch
Patch Revisions:

Developer: ab@php.net

diff --git a/Zend/zend.h b/Zend/zend.h
index b6c1a5b..40ea1be 100644
--- a/Zend/zend.h
+++ b/Zend/zend.h
@@ -300,6 +300,7 @@ typedef struct _zend_object {
 	HashTable *properties;
 	zval **properties_table;
 	HashTable *guards; /* protects from __get/__set ... recursion */
+	int property_recursion; /* protect !=/== recursion */
 } zend_object;
 
 #include "zend_object_handlers.h"
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index eec4ab0..25f61be 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -1135,6 +1135,10 @@ ZEND_API int _object_and_properties_init(zval *arg, zend_class_entry *class_type
 	} else {
 		Z_OBJVAL_P(arg) = class_type->create_object(class_type TSRMLS_CC);
 	}
+	
+	object = (zend_object *) zend_object_store_get_object(arg TSRMLS_CC);
+	object->property_recursion = 0;
+
 	return SUCCESS;
 }
 /* }}} */
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index a76dfb3..add2bf8 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -1324,9 +1324,14 @@ static int zend_std_compare_objects(zval *o1, zval *o2 TSRMLS_DC) /* {{{ */
 				if (zobj2->properties_table[i]) {
 					zval result;
 
+					if (zobj1->property_recursion++ >= 3) {
+						zend_error(E_ERROR, "Nesting level too deep - recursive dependency?");
+					}
+
 					if (compare_function(&result, zobj1->properties_table[i], zobj2->properties_table[i] TSRMLS_CC)==FAILURE) {
 						return 1;
 					}
+					zobj1->property_recursion--;
 					if (Z_LVAL(result) != 0) {
 						return Z_LVAL(result);
 					}
--- /dev/null	Wed Jan  2 19:36:37 2013
+++ b/Zend/tests/bug63882.phpt	Wed Jan  2 19:31:55 2013
@@ -0,0 +1,14 @@
+--TEST--
+Bug #63882 zend_std_compare_objects crash on recursion
+--FILE--
+<?php
+class Test { public $x = 5; }
+
+$testobj1 = new Test;
+$testobj2 = new Test;
+$testobj1->x = $testobj1;
+$testobj2->x = $testobj2;
+
+$testobj1 == $testobj2; // Crash (stack exhaustion)
+--EXPECTF--
+Fatal error: Nesting level too deep - recursive dependency? in %s on line 9
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 02:02:27 2014 UTC