diff options
author | Remi Collet <remi@remirepo.net> | 2019-03-15 15:46:43 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-03-15 15:46:43 +0100 |
commit | d4b35588f862a753d994f613c512886a6e9cb345 (patch) | |
tree | 81935a7ab53394b2f62607e67d160dcd637f3280 | |
parent | 302af801d838b666dfc9fffd851c630e1e18b61e (diff) |
Fix #76846 Segfault in shutdown function after memory limit error
-rw-r--r-- | php-bug76846.patch | 82 | ||||
-rw-r--r-- | php.spec | 14 |
2 files changed, 93 insertions, 3 deletions
diff --git a/php-bug76846.patch b/php-bug76846.patch new file mode 100644 index 0000000..811de97 --- /dev/null +++ b/php-bug76846.patch @@ -0,0 +1,82 @@ +From 45cdcb2d0be89fe7bc404dd150240ec83f5de401 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Fri, 28 Sep 2018 12:56:47 +0200 +Subject: [PATCH] Fixed bug #76846 + +--- + NEWS | 2 ++ + Zend/tests/bug76846.phpt | 27 +++++++++++++++++++++++++++ + Zend/zend_objects_API.c | 6 ++++-- + 3 files changed, 33 insertions(+), 2 deletions(-) + create mode 100644 Zend/tests/bug76846.phpt + +diff --git a/Zend/tests/bug76846.phpt b/Zend/tests/bug76846.phpt +new file mode 100644 +index 000000000000..c167a8bb789f +--- /dev/null ++++ b/Zend/tests/bug76846.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #76846: Segfault in shutdown function after memory limit error ++--INI-- ++memory_limit=33M ++--SKIPIF-- ++<?php ++$zend_mm_enabled = getenv("USE_ZEND_ALLOC"); ++if ($zend_mm_enabled === "0") { ++ die("skip Zend MM disabled"); ++} ++?> ++--FILE-- ++<?php ++ ++register_shutdown_function(function() { ++ new stdClass; ++}); ++ ++$ary = []; ++while (true) { ++ $ary[] = new stdClass; ++} ++ ++?> ++--EXPECTF-- ++Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d ++%A +diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c +index 54d8d51456d8..cbb637c54907 100644 +--- a/Zend/zend_objects_API.c ++++ b/Zend/zend_objects_API.c +@@ -116,8 +116,10 @@ ZEND_API void zend_objects_store_put(zend_object *object) + EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]); + } else { + if (EG(objects_store).top == EG(objects_store).size) { +- EG(objects_store).size <<= 1; +- EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, EG(objects_store).size * sizeof(zend_object*)); ++ uint32_t new_size = 2 * EG(objects_store).size; ++ EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, new_size * sizeof(zend_object*)); ++ /* Assign size after realloc, in case it fails */ ++ EG(objects_store).size = new_size; + } + handle = EG(objects_store).top++; + } +From fa84b8ebb4ab14ca841d7e479865548dadc5eb88 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Fri, 28 Sep 2018 13:39:43 +0200 +Subject: [PATCH] Fix test for release builds + +--- + Zend/tests/bug76846.phpt | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/Zend/tests/bug76846.phpt b/Zend/tests/bug76846.phpt +index c167a8bb789f..fbef2010338c 100644 +--- a/Zend/tests/bug76846.phpt ++++ b/Zend/tests/bug76846.phpt +@@ -23,5 +23,4 @@ while (true) { + + ?> + --EXPECTF-- +-Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d +-%A ++Fatal error: Allowed memory size of %d bytes exhausted%s(tried to allocate %d bytes) in %s on line %d%A @@ -131,7 +131,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 5%{?dist} +Release: 6%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -193,6 +193,7 @@ Patch91: php-5.6.3-oci8conf.patch Patch100: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch Patch101: https://github.com/php/php-src/commit/2ef8809ef3beb5f58b81dcff49bdcde4d2cb8426.patch Patch102: php-openssl-cert.patch +Patch103: php-bug76846.patch # Security fixes (200+) Patch200: php-bug77242.patch @@ -924,7 +925,7 @@ support for JavaScript Object Notation (JSON) to PHP. %endif %patch40 -p1 -b .dlopen -%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 +%if 0%{?fedora} >= 28 || 0%{?rhel} >= 6 %patch42 -p1 -b .systzdata %endif %patch43 -p1 -b .headers @@ -940,6 +941,7 @@ support for JavaScript Object Notation (JSON) to PHP. %patch100 -p1 -b .up1 %patch101 -p1 -b .up2 %patch102 -p1 -b .up3 +%patch103 -p1 -b .bug76846 # security patches %patch200 -p1 -b .bug77242 @@ -998,6 +1000,9 @@ mkdir \ rm ext/date/tests/timezone_location_get.phpt rm ext/date/tests/timezone_version_get.phpt rm ext/date/tests/timezone_version_get_basic1.phpt +rm ext/date/tests/bug33414-1.phpt +rm ext/date/tests/bug33415-2.phpt +rm ext/date/tests/date_modify-1.phpt # fails sometime rm ext/sockets/tests/mcast_ipv?_recv.phpt # Should be skipped but fails sometime @@ -1172,7 +1177,7 @@ ln -sf ../configure --with-layout=GNU \ --with-kerberos \ --with-libxml-dir=%{_root_prefix} \ -%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 +%if 0%{?fedora} >= 28 || 0%{?rhel} >= 6 --with-system-tzdata \ %endif --with-mhash \ @@ -1908,6 +1913,9 @@ EOF %changelog +* Fri Mar 15 2019 Remi Collet <remi@remirepo.net> - 7.0.33-6 +- Fix #76846 Segfault in shutdown function after memory limit error + * Tue Mar 5 2019 Remi Collet <remi@remirepo.net> - 7.0.33-5 - Fix #77630 rename() across the device may allow unwanted access during processing |