Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)

2024-09-21 18:07:23 +00:00 · 2016-05-05 15:18:17 +08:00 · 2016-05-05 15:18:17 +08:00 · c15b6134f6
commit c15b6134f6
parent 1a5d58b28f
3 changed files with 36 additions and 10 deletions
--- a/4
+++ b/4
@ -31,6 +31,10 @@ PHP                                                                        NEWS
  . Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight
    columns). (Tian Yang)

+- PCNTL:
+  . Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure
+    overwrite). (Laruence)
+
 - Opcache:
  . Fixed bug #72014 (Including a file with anonymous classes multiple times
    leads to fatal error). (Laruence)
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@ -624,12 +624,11 @@ PHP_FUNCTION(pcntl_waitpid)
 	struct rusage rusage;
 #endif

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE)
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE) {
 		return;
+	}

-	convert_to_long_ex(z_status);
-
-	status = Z_LVAL_P(z_status);
+	status = zval_get_long(z_status);

 #ifdef HAVE_WAIT4
 	if (z_rusage) {
@ -659,7 +658,8 @@ PHP_FUNCTION(pcntl_waitpid)
 	}
 #endif

-	Z_LVAL_P(z_status) = status;
+	zval_dtor(z_status);
+	ZVAL_LONG(z_status, status);

 	RETURN_LONG((zend_long) child_id);
 }
@ -677,12 +677,11 @@ PHP_FUNCTION(pcntl_wait)
 	struct rusage rusage;
 #endif

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE)
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE) {
 		return;
+	}

-	convert_to_long_ex(z_status);
-
-	status = Z_LVAL_P(z_status);
+	status = zval_get_long(z_status);
 #ifdef HAVE_WAIT3
 	if (z_rusage) {
 		if (Z_TYPE_P(z_rusage) != IS_ARRAY) {
@ -711,7 +710,9 @@ PHP_FUNCTION(pcntl_wait)
 		PHP_RUSAGE_TO_ARRAY(rusage, z_rusage);
 	}
 #endif
-	Z_LVAL_P(z_status) = status;
+
+	zval_dtor(z_status);
+	ZVAL_LONG(z_status, status);

 	RETURN_LONG((zend_long) child_id);
 }
--- a/ext/pcntl/tests/bug72154.phpt
+++ b/ext/pcntl/tests/bug72154.phpt
@ -0,0 +1,21 @@
+--TEST--
+Bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
+--SKIPIF--
+<?php if (!extension_loaded("pcntl")) print "skip"; ?>
+--FILE--
+<?php
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_wait($b,0,$c);
+unset($b);
+
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_waitpid(0,$b,0,$c);
+unset($b);
+?>
+--EXPECT--
+int(666)
+int(666)