1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@sury.org>
Date: Sat, 8 Apr 2017 10:40:20 +0200
Subject: Fix PHP bug #64827: Segfault in zval_mark_grey (zend_gc.c)
---
Zend/zend_gc.c | 84 +++++++++++++++++++++++++++++++++++++++++-----------------
1 file changed, 59 insertions(+), 25 deletions(-)
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
index e72655c..e7c5098 100644
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -310,16 +310,25 @@ tail_call:
}
}
while (p != NULL) {
- pz = *(zval**)p->pData;
- if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
- pz->refcount__gc++;
- }
- if (GC_ZVAL_GET_COLOR(pz) != GC_BLACK) {
- if (p->pListNext == NULL) {
- goto tail_call;
+ if (p->pData != NULL) {
+ pz = *(zval**)p->pData;
+ if (pz != NULL) {
+ if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
+ pz->refcount__gc++;
+ }
+ if (GC_ZVAL_GET_COLOR(pz) != GC_BLACK) {
+ if (p->pListNext == NULL) {
+ goto tail_call;
+ } else {
+ zval_scan_black(pz TSRMLS_CC);
+ }
+ }
} else {
- zval_scan_black(pz TSRMLS_CC);
+ /* Now this is really odd ... we've got a p->pData which references a NULL pointer */
}
+ } else {
+ /* shall we log something when encountering a p->pData == NULL */
+
}
p = p->pListNext;
}
@@ -353,12 +362,20 @@ static void zobj_scan_black(struct _store_object *obj, zval *pz TSRMLS_DC)
}
p = props->pListHead;
while (p != NULL) {
- pz = *(zval**)p->pData;
- if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
- pz->refcount__gc++;
- }
- if (GC_ZVAL_GET_COLOR(pz) != GC_BLACK) {
- zval_scan_black(pz TSRMLS_CC);
+ if (p->pData != NULL) {
+ pz = *(zval**)p->pData;
+ if (pz != NULL) {
+ if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
+ pz->refcount__gc++;
+ }
+ if (GC_ZVAL_GET_COLOR(pz) != GC_BLACK) {
+ zval_scan_black(pz TSRMLS_CC);
+ }
+ } else {
+ /* pz is NULL - maybe there should be some logging? */
+ }
+ } else {
+ /* p->pData is NULL - maybe there should be some logging? */
}
p = p->pListNext;
}
@@ -417,14 +434,23 @@ tail_call:
}
}
while (p != NULL) {
- pz = *(zval**)p->pData;
- if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
- pz->refcount__gc--;
- }
- if (p->pListNext == NULL) {
- goto tail_call;
+ if (p->pData != NULL) {
+ pz = *(zval**)p->pData;
+ if (pz != NULL) {
+ if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
+ pz->refcount__gc--;
+ }
+ if (p->pListNext == NULL) {
+ goto tail_call;
+ } else {
+ zval_mark_grey(pz TSRMLS_CC);
+ }
+ } else {
+ /* Now this is odd - we have a valid pz and a pData which is NULL */
+
+ }
} else {
- zval_mark_grey(pz TSRMLS_CC);
+ /* Some logging maybe? p->pData is NULL */
}
p = p->pListNext;
}
@@ -459,11 +485,19 @@ static void zobj_mark_grey(struct _store_object *obj, zval *pz TSRMLS_DC)
}
p = props->pListHead;
while (p != NULL) {
- pz = *(zval**)p->pData;
- if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
- pz->refcount__gc--;
+ if (p->pData != NULL) {
+ pz = *(zval**)p->pData;
+ if (pz != NULL) {
+ if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
+ pz->refcount__gc--;
+ }
+ zval_mark_grey(pz TSRMLS_CC);
+ } else {
+ /* TODO: Some logging maybe? */
+ }
+ } else {
+ /* TODO: Some logging maybe? */
}
- zval_mark_grey(pz TSRMLS_CC);
p = p->pListNext;
}
}
|
