Commit 260c6bf5 authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 5.6.26+dfsg

parent 0c365941
...@@ -205,7 +205,7 @@ STATUS: Working ...@@ -205,7 +205,7 @@ STATUS: Working
SINCE: 5.1 SINCE: 5.1
------------------------------------------------------------------------------- -------------------------------------------------------------------------------
EXTENSION: pdo_oci EXTENSION: pdo_oci
PRIMARY MAINTAINER: Unknown PRIMARY MAINTAINER: Christopher Jones <sixd@php.net>
MAINTENANCE: Odd fixes MAINTENANCE: Odd fixes
STATUS: Working STATUS: Working
SINCE: 5.1 SINCE: 5.1
......
This diff is collapsed.
...@@ -616,6 +616,12 @@ TSRM_API int shmget(int key, int size, int flags) ...@@ -616,6 +616,12 @@ TSRM_API int shmget(int key, int size, int flags)
} }
} else { } else {
if (flags & IPC_EXCL) { if (flags & IPC_EXCL) {
if (shm_handle) {
CloseHandle(shm_handle);
}
if (info_handle) {
CloseHandle(info_handle);
}
return -1; return -1;
} }
} }
...@@ -654,17 +660,27 @@ TSRM_API int shmget(int key, int size, int flags) ...@@ -654,17 +660,27 @@ TSRM_API int shmget(int key, int size, int flags)
TSRM_API void *shmat(int key, const void *shmaddr, int flags) TSRM_API void *shmat(int key, const void *shmaddr, int flags)
{ {
shm_pair *shm = shm_get(key, NULL); shm_pair *shm = shm_get(key, NULL);
int err;
if (!shm->segment) { if (!shm->segment) {
return (void*)-1; return (void*)-1;
} }
shm->addr = MapViewOfFileEx(shm->segment, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
err = GetLastError();
if (err) {
/* Catch more errors */
if (ERROR_NOT_ENOUGH_MEMORY == err) {
_set_errno(ENOMEM);
}
return (void*)-1;
}
shm->descriptor->shm_atime = time(NULL); shm->descriptor->shm_atime = time(NULL);
shm->descriptor->shm_lpid = getpid(); shm->descriptor->shm_lpid = getpid();
shm->descriptor->shm_nattch++; shm->descriptor->shm_nattch++;
shm->addr = MapViewOfFileEx(shm->segment, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
return shm->addr; return shm->addr;
} }
......
--TEST--
Bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260))
--FILE--
<?php
$a = 0;
($a->a = &$E) + ($b = $a->b->i -= 0);
?>
--EXPECTF--
Warning: Attempt to modify property of non-object in %sbug72907.php on line %d
Warning: Attempt to modify property of non-object in %sbug72907.php on line %d
Warning: Creating default object from empty value in %sbug72907.php on line %d
Notice: Undefined property: stdClass::$i in %sbug72907.php on line %d
...@@ -1074,7 +1074,7 @@ static int zval_update_class_constant(zval **pp, int is_static, int offset TSRML ...@@ -1074,7 +1074,7 @@ static int zval_update_class_constant(zval **pp, int is_static, int offset TSRML
*scope = old_scope; *scope = old_scope;
return ret; return ret;
} }
} }
ce = ce->parent; ce = ce->parent;
} while (ce); } while (ce);
...@@ -1279,9 +1279,14 @@ ZEND_API int add_assoc_double_ex(zval *arg, const char *key, uint key_len, doubl ...@@ -1279,9 +1279,14 @@ ZEND_API int add_assoc_double_ex(zval *arg, const char *key, uint key_len, doubl
ZEND_API int add_assoc_string_ex(zval *arg, const char *key, uint key_len, char *str, int duplicate) /* {{{ */ ZEND_API int add_assoc_string_ex(zval *arg, const char *key, uint key_len, char *str, int duplicate) /* {{{ */
{ {
zval *tmp; zval *tmp;
size_t _len = strlen(str);
if (UNEXPECTED(_len > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRING(tmp, str, duplicate); ZVAL_STRINGL(tmp, str, _len, duplicate);
return zend_symtable_update(Z_ARRVAL_P(arg), key, key_len, (void *) &tmp, sizeof(zval *), NULL); return zend_symtable_update(Z_ARRVAL_P(arg), key, key_len, (void *) &tmp, sizeof(zval *), NULL);
} }
...@@ -1291,6 +1296,10 @@ ZEND_API int add_assoc_stringl_ex(zval *arg, const char *key, uint key_len, char ...@@ -1291,6 +1296,10 @@ ZEND_API int add_assoc_stringl_ex(zval *arg, const char *key, uint key_len, char
{ {
zval *tmp; zval *tmp;
if (UNEXPECTED(length > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRINGL(tmp, str, length, duplicate); ZVAL_STRINGL(tmp, str, length, duplicate);
...@@ -1362,6 +1371,11 @@ ZEND_API int add_index_double(zval *arg, ulong index, double d) /* {{{ */ ...@@ -1362,6 +1371,11 @@ ZEND_API int add_index_double(zval *arg, ulong index, double d) /* {{{ */
ZEND_API int add_index_string(zval *arg, ulong index, const char *str, int duplicate) /* {{{ */ ZEND_API int add_index_string(zval *arg, ulong index, const char *str, int duplicate) /* {{{ */
{ {
zval *tmp; zval *tmp;
size_t _len = strlen(str);
if (UNEXPECTED(_len > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRING(tmp, str, duplicate); ZVAL_STRING(tmp, str, duplicate);
...@@ -1374,6 +1388,10 @@ ZEND_API int add_index_stringl(zval *arg, ulong index, const char *str, uint len ...@@ -1374,6 +1388,10 @@ ZEND_API int add_index_stringl(zval *arg, ulong index, const char *str, uint len
{ {
zval *tmp; zval *tmp;
if (UNEXPECTED(length > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRINGL(tmp, str, length, duplicate); ZVAL_STRINGL(tmp, str, length, duplicate);
...@@ -1457,6 +1475,9 @@ ZEND_API int add_next_index_stringl(zval *arg, const char *str, uint length, int ...@@ -1457,6 +1475,9 @@ ZEND_API int add_next_index_stringl(zval *arg, const char *str, uint length, int
{ {
zval *tmp; zval *tmp;
if (UNEXPECTED(length > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRINGL(tmp, str, length, duplicate); ZVAL_STRINGL(tmp, str, length, duplicate);
...@@ -1473,9 +1494,14 @@ ZEND_API int add_next_index_zval(zval *arg, zval *value) /* {{{ */ ...@@ -1473,9 +1494,14 @@ ZEND_API int add_next_index_zval(zval *arg, zval *value) /* {{{ */
ZEND_API int add_get_assoc_string_ex(zval *arg, const char *key, uint key_len, const char *str, void **dest, int duplicate) /* {{{ */ ZEND_API int add_get_assoc_string_ex(zval *arg, const char *key, uint key_len, const char *str, void **dest, int duplicate) /* {{{ */
{ {
zval *tmp; zval *tmp;
size_t _len = strlen(str);
if (UNEXPECTED(_len > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRING(tmp, str, duplicate); ZVAL_STRINGL(tmp, str, _len, duplicate);
return zend_symtable_update(Z_ARRVAL_P(arg), key, key_len, (void *) &tmp, sizeof(zval *), dest); return zend_symtable_update(Z_ARRVAL_P(arg), key, key_len, (void *) &tmp, sizeof(zval *), dest);
} }
...@@ -1485,6 +1511,10 @@ ZEND_API int add_get_assoc_stringl_ex(zval *arg, const char *key, uint key_len, ...@@ -1485,6 +1511,10 @@ ZEND_API int add_get_assoc_stringl_ex(zval *arg, const char *key, uint key_len,
{ {
zval *tmp; zval *tmp;
if (UNEXPECTED(length > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRINGL(tmp, str, length, duplicate); ZVAL_STRINGL(tmp, str, length, duplicate);
...@@ -1664,9 +1694,14 @@ ZEND_API int add_property_string_ex(zval *arg, const char *key, uint key_len, co ...@@ -1664,9 +1694,14 @@ ZEND_API int add_property_string_ex(zval *arg, const char *key, uint key_len, co
{ {
zval *tmp; zval *tmp;
zval *z_key; zval *z_key;
size_t _len = strlen(str);
if (UNEXPECTED(_len > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRING(tmp, str, duplicate); ZVAL_STRINGL(tmp, str, _len, duplicate);
MAKE_STD_ZVAL(z_key); MAKE_STD_ZVAL(z_key);
ZVAL_STRINGL(z_key, key, key_len-1, 1); ZVAL_STRINGL(z_key, key, key_len-1, 1);
...@@ -1683,6 +1718,10 @@ ZEND_API int add_property_stringl_ex(zval *arg, const char *key, uint key_len, c ...@@ -1683,6 +1718,10 @@ ZEND_API int add_property_stringl_ex(zval *arg, const char *key, uint key_len, c
zval *tmp; zval *tmp;
zval *z_key; zval *z_key;
if (UNEXPECTED(length > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
}
MAKE_STD_ZVAL(tmp); MAKE_STD_ZVAL(tmp);
ZVAL_STRINGL(tmp, str, length, duplicate); ZVAL_STRINGL(tmp, str, length, duplicate);
...@@ -1836,7 +1875,7 @@ ZEND_API void zend_collect_module_handlers(TSRMLS_D) /* {{{ */ ...@@ -1836,7 +1875,7 @@ ZEND_API void zend_collect_module_handlers(TSRMLS_D) /* {{{ */
module_post_deactivate_handlers = module_request_shutdown_handlers + shutdown_count + 1; module_post_deactivate_handlers = module_request_shutdown_handlers + shutdown_count + 1;
module_post_deactivate_handlers[post_deactivate_count] = NULL; module_post_deactivate_handlers[post_deactivate_count] = NULL;
startup_count = 0; startup_count = 0;
for (zend_hash_internal_pointer_reset_ex(&module_registry, &pos); for (zend_hash_internal_pointer_reset_ex(&module_registry, &pos);
zend_hash_get_current_data_ex(&module_registry, (void *) &module, &pos) == SUCCESS; zend_hash_get_current_data_ex(&module_registry, (void *) &module, &pos) == SUCCESS;
zend_hash_move_forward_ex(&module_registry, &pos)) { zend_hash_move_forward_ex(&module_registry, &pos)) {
...@@ -2083,7 +2122,7 @@ ZEND_API int zend_register_functions(zend_class_entry *scope, const zend_functio ...@@ -2083,7 +2122,7 @@ ZEND_API int zend_register_functions(zend_class_entry *scope, const zend_functio
} }
if (ptr->arg_info) { if (ptr->arg_info) {
zend_internal_function_info *info = (zend_internal_function_info*)ptr->arg_info; zend_internal_function_info *info = (zend_internal_function_info*)ptr->arg_info;
internal_function->arg_info = (zend_arg_info*)ptr->arg_info+1; internal_function->arg_info = (zend_arg_info*)ptr->arg_info+1;
internal_function->num_args = ptr->num_args; internal_function->num_args = ptr->num_args;
/* Currently you cannot denote that the function can accept less arguments than num_args */ /* Currently you cannot denote that the function can accept less arguments than num_args */
...@@ -2701,7 +2740,7 @@ static int zend_is_callable_check_class(const char *name, int name_len, zend_fca ...@@ -2701,7 +2740,7 @@ static int zend_is_callable_check_class(const char *name, int name_len, zend_fca
} }
ret = 1; ret = 1;
} }
} else if (name_len == sizeof("parent") - 1 && } else if (name_len == sizeof("parent") - 1 &&
!memcmp(lcname, "parent", sizeof("parent") - 1)) { !memcmp(lcname, "parent", sizeof("parent") - 1)) {
if (!EG(scope)) { if (!EG(scope)) {
if (error) *error = estrdup("cannot access parent:: when no class scope is active"); if (error) *error = estrdup("cannot access parent:: when no class scope is active");
...@@ -3030,7 +3069,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch ...@@ -3030,7 +3069,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
if (error) { if (error) {
*error = NULL; *error = NULL;
} }
fcc->initialized = 0; fcc->initialized = 0;
fcc->calling_scope = NULL; fcc->calling_scope = NULL;
fcc->called_scope = NULL; fcc->called_scope = NULL;
...@@ -3042,7 +3081,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch ...@@ -3042,7 +3081,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
object_ptr = NULL; object_ptr = NULL;
} }
if (object_ptr && if (object_ptr &&
(!EG(objects_store).object_buckets || (!EG(objects_store).object_buckets ||
!EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(object_ptr)].valid)) { !EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(object_ptr)].valid)) {
return 0; return 0;
} }
...@@ -3123,7 +3162,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch ...@@ -3123,7 +3162,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
} }
} else { } else {
if (!EG(objects_store).object_buckets || if (!EG(objects_store).object_buckets ||
!EG(objects_store).object_buckets[Z_OBJ_HANDLE_PP(obj)].valid) { !EG(objects_store).object_buckets[Z_OBJ_HANDLE_PP(obj)].valid) {
return 0; return 0;
} }
...@@ -3192,7 +3231,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch ...@@ -3192,7 +3231,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
*callable_name = emalloc(*callable_name_len + 1); *callable_name = emalloc(*callable_name_len + 1);
memcpy(*callable_name, ce->name, ce->name_length); memcpy(*callable_name, ce->name, ce->name_length);
memcpy((*callable_name) + ce->name_length, "::__invoke", sizeof("::__invoke")); memcpy((*callable_name) + ce->name_length, "::__invoke", sizeof("::__invoke"));
} }
return 1; return 1;
} }
/* break missing intentionally */ /* break missing intentionally */
......
...@@ -654,6 +654,20 @@ END_EXTERN_C() ...@@ -654,6 +654,20 @@ END_EXTERN_C()
} while (0) } while (0)
#define RETURN_ZVAL_FAST(z) { RETVAL_ZVAL_FAST(z); return; } #define RETURN_ZVAL_FAST(z) { RETVAL_ZVAL_FAST(z); return; }
/* Check that returned string length fits int */
#define RETVAL_STRINGL_CHECK(s, len, dup) do { \
size_t __len = (len); \
if (UNEXPECTED(__len > INT_MAX)) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max is %d", INT_MAX); \
if(!(dup)) { \
efree((s)); \
} \
RETURN_FALSE; \
} \
RETVAL_STRINGL((s), __len, (dup)); \
} while (0)
#define SET_VAR_STRING(n, v) { \ #define SET_VAR_STRING(n, v) { \
{ \ { \
zval *var; \ zval *var; \
......
...@@ -2578,6 +2578,15 @@ static inline size_t safe_address(size_t nmemb, size_t size, size_t offset) ...@@ -2578,6 +2578,15 @@ static inline size_t safe_address(size_t nmemb, size_t size, size_t offset)
#endif #endif
ZEND_API void *_safe_emalloc_string(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
{
size_t str_size = safe_address(nmemb, size, offset);
if (UNEXPECTED(str_size > INT_MAX)) {
zend_error_noreturn(E_ERROR, "String allocation overflow, max size is %d", INT_MAX);
}
return emalloc_rel(str_size);
}
ZEND_API void *_safe_emalloc(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_API void *_safe_emalloc(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
{ {
return emalloc_rel(safe_address(nmemb, size, offset)); return emalloc_rel(safe_address(nmemb, size, offset));
......
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
| Copyright (c) 1998-2016 Zend Technologies Ltd. (http://www.zend.com) | | Copyright (c) 1998-2016 Zend Technologies Ltd. (http://www.zend.com) |
+----------------------------------------------------------------------+ +----------------------------------------------------------------------+
| This source file is subject to version 2.00 of the Zend license, | | This source file is subject to version 2.00 of the Zend license, |
| that is bundled with this package in the file LICENSE, and is | | that is bundled with this package in the file LICENSE, and is |
| available through the world-wide-web at the following url: | | available through the world-wide-web at the following url: |
| http://www.zend.com/license/2_00.txt. | | http://www.zend.com/license/2_00.txt. |
| If you did not receive a copy of the Zend license and are unable to | | If you did not receive a copy of the Zend license and are unable to |
...@@ -56,6 +56,7 @@ ZEND_API char *zend_strndup(const char *s, unsigned int length) ZEND_ATTRIBUTE_M ...@@ -56,6 +56,7 @@ ZEND_API char *zend_strndup(const char *s, unsigned int length) ZEND_ATTRIBUTE_M
ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_ALLOC_SIZE(1); ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_ALLOC_SIZE(1);
ZEND_API void *_safe_emalloc(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC; ZEND_API void *_safe_emalloc(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC;
ZEND_API void *_safe_emalloc_string(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC;
ZEND_API void *_safe_malloc(size_t nmemb, size_t size, size_t offset) ZEND_ATTRIBUTE_MALLOC; ZEND_API void *_safe_malloc(size_t nmemb, size_t size, size_t offset) ZEND_ATTRIBUTE_MALLOC;
ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC); ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_ALLOC_SIZE2(1,2); ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_ALLOC_SIZE2(1,2);
...@@ -69,6 +70,7 @@ ZEND_API size_t _zend_mem_block_size(void *ptr TSRMLS_DC ZEND_FILE_LINE_DC ZEND_ ...@@ -69,6 +70,7 @@ ZEND_API size_t _zend_mem_block_size(void *ptr TSRMLS_DC ZEND_FILE_LINE_DC ZEND_
/* Standard wrapper macros */ /* Standard wrapper macros */
#define emalloc(size) _emalloc((size) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC) #define emalloc(size) _emalloc((size) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC)
#define safe_emalloc(nmemb, size, offset) _safe_emalloc((nmemb), (size), (offset) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC) #define safe_emalloc(nmemb, size, offset) _safe_emalloc((nmemb), (size), (offset) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC)
#define safe_emalloc_string(nmemb, size, offset) _safe_emalloc_string((nmemb), (size), (offset) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC)
#define efree(ptr) _efree((ptr) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC) #define efree(ptr) _efree((ptr) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC)
#define ecalloc(nmemb, size) _ecalloc((nmemb), (size) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC) #define ecalloc(nmemb, size) _ecalloc((nmemb), (size) ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC)
#define erealloc(ptr, size) _erealloc((ptr), (size), 0 ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC) #define erealloc(ptr, size) _erealloc((ptr), (size), 0 ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC)
......
...@@ -522,9 +522,7 @@ static void zend_assign_to_variable_reference(zval **variable_ptr_ptr, zval **va ...@@ -522,9 +522,7 @@ static void zend_assign_to_variable_reference(zval **variable_ptr_ptr, zval **va
zval *variable_ptr = *variable_ptr_ptr; zval *variable_ptr = *variable_ptr_ptr;
zval *value_ptr = *value_ptr_ptr; zval *value_ptr = *value_ptr_ptr;
if (variable_ptr == &EG(error_zval) || value_ptr == &EG(error_zval)) { if (variable_ptr != value_ptr) {
variable_ptr_ptr = &EG(uninitialized_zval_ptr);
} else if (variable_ptr != value_ptr) {
if (!PZVAL_IS_REF(value_ptr)) { if (!PZVAL_IS_REF(value_ptr)) {
/* break it away */ /* break it away */
Z_DELREF_P(value_ptr); Z_DELREF_P(value_ptr);
......
...@@ -215,7 +215,7 @@ ZEND_API void zend_objects_store_del_ref_by_handle_ex(zend_object_handle handle, ...@@ -215,7 +215,7 @@ ZEND_API void zend_objects_store_del_ref_by_handle_ex(zend_object_handle handle,
} zend_end_try(); } zend_end_try();
} }
} }
/* re-read the object from the object store as the store might have been reallocated in the dtor */ /* re-read the object from the object store as the store might have been reallocated in the dtor */
obj = &EG(objects_store).object_buckets[handle].bucket.obj; obj = &EG(objects_store).object_buckets[handle].bucket.obj;
...@@ -306,8 +306,8 @@ ZEND_API void zend_object_store_ctor_failed(zval *zobject TSRMLS_DC) ...@@ -306,8 +306,8 @@ ZEND_API void zend_object_store_ctor_failed(zval *zobject TSRMLS_DC)
{ {
zend_object_handle handle = Z_OBJ_HANDLE_P(zobject); zend_object_handle handle = Z_OBJ_HANDLE_P(zobject);
zend_object_store_bucket *obj_bucket = &EG(objects_store).object_buckets[handle]; zend_object_store_bucket *obj_bucket = &EG(objects_store).object_buckets[handle];
obj_bucket->bucket.obj.handlers = Z_OBJ_HT_P(zobject);; obj_bucket->bucket.obj.handlers = Z_OBJ_HT_P(zobject);
obj_bucket->destructor_called = 1; obj_bucket->destructor_called = 1;
} }
......
...@@ -1817,11 +1817,14 @@ ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV) ...@@ -1817,11 +1817,14 @@ ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV)
if ((OP2_TYPE == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || if ((OP2_TYPE == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
(OP1_TYPE == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { (OP1_TYPE == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
} } else if ((OP2_TYPE == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); (OP1_TYPE == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
variable_ptr_ptr = &EG(uninitialized_zval_ptr);
if (OP2_TYPE == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { } else {
Z_DELREF_PP(variable_ptr_ptr); zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
if (OP2_TYPE == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
Z_DELREF_PP(variable_ptr_ptr);
}
} }
if (RETURN_VALUE_USED(opline)) { if (RETURN_VALUE_USED(opline)) {
......
...@@ -20408,11 +20408,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDL ...@@ -20408,11 +20408,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDL
if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
(IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { (IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
} } else if ((IS_VAR == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); (IS_VAR == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
variable_ptr_ptr = &EG(uninitialized_zval_ptr);
if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { } else {
Z_DELREF_PP(variable_ptr_ptr); zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
Z_DELREF_PP(variable_ptr_ptr);
}
} }
if (RETURN_VALUE_USED(opline)) { if (RETURN_VALUE_USED(opline)) {
...@@ -23903,11 +23906,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLE ...@@ -23903,11 +23906,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLE
if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
(IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { (IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
} } else if ((IS_CV == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); (IS_VAR == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
variable_ptr_ptr = &EG(uninitialized_zval_ptr);
if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { } else {
Z_DELREF_PP(variable_ptr_ptr); zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
Z_DELREF_PP(variable_ptr_ptr);
}
} }
if (RETURN_VALUE_USED(opline)) { if (RETURN_VALUE_USED(opline)) {
...@@ -37721,11 +37727,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLE ...@@ -37721,11 +37727,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLE
if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
(IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { (IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
} } else if ((IS_VAR == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); (IS_CV == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
variable_ptr_ptr = &EG(uninitialized_zval_ptr);
if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { } else {
Z_DELREF_PP(variable_ptr_ptr); zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
Z_DELREF_PP(variable_ptr_ptr);
}
} }
if (RETURN_VALUE_USED(opline)) { if (RETURN_VALUE_USED(opline)) {
...@@ -40929,11 +40938,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER ...@@ -40929,11 +40938,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER
if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
(IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { (IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
} } else if ((IS_CV == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); (IS_CV == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
variable_ptr_ptr = &EG(uninitialized_zval_ptr);
if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { } else {
Z_DELREF_PP(variable_ptr_ptr); zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
Z_DELREF_PP(variable_ptr_ptr);
}
} }
if (RETURN_VALUE_USED(opline)) { if (RETURN_VALUE_USED(opline)) {
...@@ -3672,7 +3672,7 @@ ac_config_headers="$ac_config_headers main/php_config.h" ...@@ -3672,7 +3672,7 @@ ac_config_headers="$ac_config_headers main/php_config.h"
PHP_MAJOR_VERSION=5 PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6 PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=25 PHP_RELEASE_VERSION=26
PHP_EXTRA_VERSION="" PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION` PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
...@@ -103047,6 +103047,9 @@ cat >>confdefs.h <<_ACEOF ...@@ -103047,6 +103047,9 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
if test "$ac_cv_sizeof_off_t" = "0" ; then
as_fn_error $? "off_t undefined; check your library configuration" "$LINENO" 5
fi
# The cast to long int works around a bug in the HP C Compiler # The cast to long int works around a bug in the HP C Compiler
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
...@@ -105733,7 +105736,7 @@ else ...@@ -105733,7 +105736,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 105736 "configure" #line 105739 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
...@@ -107645,7 +107648,7 @@ ia64-*-hpux*) ...@@ -107645,7 +107648,7 @@ ia64-*-hpux*)
;; ;;
*-*-irix6*) *-*-irix6*)
# Find out which ABI we are using. # Find out which ABI we are using.
echo '#line 107648 "configure"' > conftest.$ac_ext echo '#line 107651 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5 (eval $ac_compile) 2>&5
ac_status=$? ac_status=$?
...@@ -109043,7 +109046,7 @@ else ...@@ -109043,7 +109046,7 @@ else
LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 109046 "configure" #line 109049 "configure"
#include "confdefs.h" #include "confdefs.h"
int main() { int main() {
; return 0; } ; return 0; }
...@@ -109201,11 +109204,11 @@ else ...@@ -109201,11 +109204,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"configure:109204: $lt_compile\"" >&5) (eval echo "\"configure:109207: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "configure:109208: \$? = $ac_status" >&5 echo "configure:109211: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized