mirror of
https://github.com/php/php-src.git
synced 2024-09-21 09:57:23 +00:00
Fix #81430: Attribute instantiation leaves dangling pointer
By switching attribute constructor stackframe to be called via trampoline the stack allocation is not causing dangling pointers in the zend_observer API anymore. Co-Authored-By: Florian Sowade <f.sowade@suora.com> Co-Authored-By: Christopher Becker <cmbecker69@gmx.de> Co-Authored-By: Dmitry Stogov <dmitry@zend.com> Closes GH-7885.
This commit is contained in:
parent
c99a026c9c
commit
2f6a06ccb0
4
NEWS
4
NEWS
@ -2,6 +2,10 @@ PHP NEWS
|
||||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
?? ??? 2022, PHP 8.0.16
|
||||
|
||||
- Core:
|
||||
. Fixed bug #81430 (Attribute instantiation leaves dangling pointer).
|
||||
(beberlei)
|
||||
|
||||
- FPM:
|
||||
. Fixed memory leak on invalid port. (David Carlier)
|
||||
|
||||
|
@ -6315,6 +6315,7 @@ static int call_attribute_constructor(
|
||||
dummy_func.type = ZEND_USER_FUNCTION;
|
||||
dummy_func.common.fn_flags =
|
||||
attr->flags & ZEND_ATTRIBUTE_STRICT_TYPES ? ZEND_ACC_STRICT_TYPES : 0;
|
||||
dummy_func.common.fn_flags |= ZEND_ACC_CALL_VIA_TRAMPOLINE;
|
||||
dummy_func.op_array.filename = filename;
|
||||
|
||||
dummy_opline.opcode = ZEND_DO_FCALL;
|
||||
|
31
ext/zend_test/tests/observer_bug81430_1.phpt
Normal file
31
ext/zend_test/tests/observer_bug81430_1.phpt
Normal file
@ -0,0 +1,31 @@
|
||||
--TEST--
|
||||
Bug #81430 (Attribute instantiation frame accessing invalid frame pointer)
|
||||
--EXTENSIONS--
|
||||
zend_test
|
||||
--INI--
|
||||
memory_limit=20M
|
||||
zend_test.observer.enabled=1
|
||||
zend_test.observer.observe_all=1
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
#[\Attribute]
|
||||
class A {
|
||||
private $a;
|
||||
public function __construct() {
|
||||
}
|
||||
}
|
||||
|
||||
#[A]
|
||||
function B() {}
|
||||
|
||||
$r = new \ReflectionFunction("B");
|
||||
call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
|
||||
?>
|
||||
--EXPECTF--
|
||||
<!-- init '%s' -->
|
||||
<file '%s'>
|
||||
<!-- init A::__construct() -->
|
||||
<A::__construct>
|
||||
</A::__construct>
|
||||
</file '%s'>
|
33
ext/zend_test/tests/observer_bug81430_2.phpt
Normal file
33
ext/zend_test/tests/observer_bug81430_2.phpt
Normal file
@ -0,0 +1,33 @@
|
||||
--TEST--
|
||||
Bug #81430 (Attribute instantiation leaves dangling execute_data pointer)
|
||||
--EXTENSIONS--
|
||||
zend_test
|
||||
--INI--
|
||||
memory_limit=20M
|
||||
zend_test.observer.enabled=1
|
||||
zend_test.observer.observe_all=1
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
#[\Attribute]
|
||||
class A {
|
||||
public function __construct() {
|
||||
array_map("str_repeat", ["\xFF"], [100000000]); // cause a bailout
|
||||
}
|
||||
}
|
||||
|
||||
#[A]
|
||||
function B() {}
|
||||
|
||||
$r = new \ReflectionFunction("B");
|
||||
call_user_func([$r->getAttributes(A::class)[0], 'newInstance']);
|
||||
?>
|
||||
--EXPECTF--
|
||||
<!-- init '%s' -->
|
||||
<file '%s'>
|
||||
<!-- init A::__construct() -->
|
||||
<A::__construct>
|
||||
|
||||
Fatal error: Allowed memory size of %d bytes exhausted %s in %s on line %d
|
||||
</A::__construct>
|
||||
</file '%s'>
|
Loading…
Reference in New Issue
Block a user