Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
php5
:
5.2.17
:
monolithic
>
php5-monolithic
> php-5.2.14-CVE-2010-4697.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-5.2.14-CVE-2010-4697.patch of Package php5-monolithic
Index: Zend/zend_object_handlers.c =================================================================== --- Zend/zend_object_handlers.c.orig +++ Zend/zend_object_handlers.c @@ -329,6 +329,9 @@ zval *zend_std_read_property(zval *objec !guard->in_get) { /* have getter - try with it! */ ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_get = 1; /* prevent circular getting */ rv = zend_std_call_getter(object, member TSRMLS_CC); guard->in_get = 0; @@ -418,22 +421,22 @@ static void zend_std_write_property(zval } } } else { - int setter_done = 0; zend_guard *guard; if (zobj->ce->__set && zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS && !guard->in_set) { ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_set = 1; /* prevent circular setting */ if (zend_std_call_setter(object, member, value TSRMLS_CC) != SUCCESS) { /* for now, just ignore it - __set should take care of warnings, etc. */ } - setter_done = 1; guard->in_set = 0; zval_ptr_dtor(&object); - } - if (!setter_done && property_info) { + } else if (property_info) { zval **foo; /* if we assign referenced variable, we should separate it */ @@ -611,6 +614,9 @@ static void zend_std_unset_property(zval !guard->in_unset) { /* have unseter - try with it! */ ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_unset = 1; /* prevent circular unsetting */ zend_std_call_unsetter(object, member TSRMLS_CC); guard->in_unset = 0; @@ -1042,6 +1048,9 @@ static int zend_std_has_property(zval *o /* have issetter - try with it! */ ZVAL_ADDREF(object); + if (PZVAL_IS_REF(object)) { + SEPARATE_ZVAL(&object); + } guard->in_isset = 1; /* prevent circular getting */ rv = zend_std_call_issetter(object, member TSRMLS_CC); if (rv) { Index: Zend/tests/bug52879.phpt =================================================================== --- /dev/null +++ Zend/tests/bug52879.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early) +--FILE-- +<?php +class MyClass { +public $myRef; +public function __set($property,$value) { +$this->myRef = $value; +} +} +$myGlobal=new MyClass($myGlobal); +$myGlobal->myRef=&$myGlobal; +$myGlobal->myNonExistentProperty="ok\n"; +echo $myGlobal; +--EXPECT-- +ok +