blob: a1f4323f94ea6f409d8736025d475aa52e07f00c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
From 3c87945c95c9c31986e690bb046c70e58c8d8896 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 5 Jun 2013 17:25:00 +0800
Subject: [PATCH] Fixed bug #64960 (Segfault in gc_zval_possible_root)
---
NEWS | 2 ++
Zend/tests/bug64960.phpt | 40 ++++++++++++++++++++++++++++++++++++++++
Zend/zend_execute_API.c | 6 ++----
3 files changed, 44 insertions(+), 4 deletions(-)
create mode 100644 Zend/tests/bug64960.phpt
diff --git a/Zend/tests/bug64960.phpt b/Zend/tests/bug64960.phpt
new file mode 100644
index 0000000..b31cca3
--- /dev/null
+++ b/Zend/tests/bug64960.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #64960 (Segfault in gc_zval_possible_root)
+--FILE--
+<?php
+// this makes ob_end_clean raise an error
+ob_end_flush();
+
+class ExceptionHandler {
+ public function __invoke (Exception $e)
+ {
+ // this triggers the custom error handler
+ ob_end_clean();
+ }
+}
+
+// this must be a class, closure does not trigger segfault
+set_exception_handler(new ExceptionHandler());
+
+// exception must be throwed from error handler.
+set_error_handler(function()
+{
+ $e = new Exception;
+ $e->_trace = debug_backtrace();
+
+ throw $e;
+});
+
+// trigger error handler
+$a['waa'];
+?>
+--EXPECTF--
+Notice: ob_end_flush(): failed to delete and flush buffer. No buffer to delete or flush in %sbug64960.php on line 3
+
+Fatal error: Uncaught exception 'Exception' in %sbug64960.php:19
+Stack trace:
+#0 [internal function]: {closure}(8, 'ob_end_clean():...', '%s', 9, Array)
+#1 %sbug64960.php(9): ob_end_clean()
+#2 [internal function]: ExceptionHandler->__invoke(Object(Exception))
+#3 {main}
+ thrown in %sbug64960.php on line 19
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 9781889..687520d 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -263,15 +263,13 @@ void shutdown_executor(TSRMLS_D) /* {{{ */
if (EG(user_error_handler)) {
zeh = EG(user_error_handler);
EG(user_error_handler) = NULL;
- zval_dtor(zeh);
- FREE_ZVAL(zeh);
+ zval_ptr_dtor(&zeh);
}
if (EG(user_exception_handler)) {
zeh = EG(user_exception_handler);
EG(user_exception_handler) = NULL;
- zval_dtor(zeh);
- FREE_ZVAL(zeh);
+ zval_ptr_dtor(&zeh);
}
zend_stack_destroy(&EG(user_error_handlers_error_reporting));
--
1.7.11.5
|
