summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-03-15 15:46:43 +0100
committerRemi Collet <remi@remirepo.net>2019-03-15 15:46:43 +0100
commitd4b35588f862a753d994f613c512886a6e9cb345 (patch)
tree81935a7ab53394b2f62607e67d160dcd637f3280
parent302af801d838b666dfc9fffd851c630e1e18b61e (diff)
Fix #76846 Segfault in shutdown function after memory limit error
-rw-r--r--php-bug76846.patch82
-rw-r--r--php.spec14
2 files changed, 93 insertions, 3 deletions
diff --git a/php-bug76846.patch b/php-bug76846.patch
new file mode 100644
index 0000000..811de97
--- /dev/null
+++ b/php-bug76846.patch
@@ -0,0 +1,82 @@
+From 45cdcb2d0be89fe7bc404dd150240ec83f5de401 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Fri, 28 Sep 2018 12:56:47 +0200
+Subject: [PATCH] Fixed bug #76846
+
+---
+ NEWS | 2 ++
+ Zend/tests/bug76846.phpt | 27 +++++++++++++++++++++++++++
+ Zend/zend_objects_API.c | 6 ++++--
+ 3 files changed, 33 insertions(+), 2 deletions(-)
+ create mode 100644 Zend/tests/bug76846.phpt
+
+diff --git a/Zend/tests/bug76846.phpt b/Zend/tests/bug76846.phpt
+new file mode 100644
+index 000000000000..c167a8bb789f
+--- /dev/null
++++ b/Zend/tests/bug76846.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++Bug #76846: Segfault in shutdown function after memory limit error
++--INI--
++memory_limit=33M
++--SKIPIF--
++<?php
++$zend_mm_enabled = getenv("USE_ZEND_ALLOC");
++if ($zend_mm_enabled === "0") {
++ die("skip Zend MM disabled");
++}
++?>
++--FILE--
++<?php
++
++register_shutdown_function(function() {
++ new stdClass;
++});
++
++$ary = [];
++while (true) {
++ $ary[] = new stdClass;
++}
++
++?>
++--EXPECTF--
++Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d
++%A
+diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
+index 54d8d51456d8..cbb637c54907 100644
+--- a/Zend/zend_objects_API.c
++++ b/Zend/zend_objects_API.c
+@@ -116,8 +116,10 @@ ZEND_API void zend_objects_store_put(zend_object *object)
+ EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
+ } else {
+ if (EG(objects_store).top == EG(objects_store).size) {
+- EG(objects_store).size <<= 1;
+- EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, EG(objects_store).size * sizeof(zend_object*));
++ uint32_t new_size = 2 * EG(objects_store).size;
++ EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, new_size * sizeof(zend_object*));
++ /* Assign size after realloc, in case it fails */
++ EG(objects_store).size = new_size;
+ }
+ handle = EG(objects_store).top++;
+ }
+From fa84b8ebb4ab14ca841d7e479865548dadc5eb88 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Fri, 28 Sep 2018 13:39:43 +0200
+Subject: [PATCH] Fix test for release builds
+
+---
+ Zend/tests/bug76846.phpt | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/Zend/tests/bug76846.phpt b/Zend/tests/bug76846.phpt
+index c167a8bb789f..fbef2010338c 100644
+--- a/Zend/tests/bug76846.phpt
++++ b/Zend/tests/bug76846.phpt
+@@ -23,5 +23,4 @@ while (true) {
+
+ ?>
+ --EXPECTF--
+-Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d
+-%A
++Fatal error: Allowed memory size of %d bytes exhausted%s(tried to allocate %d bytes) in %s on line %d%A
diff --git a/php.spec b/php.spec
index d3fb990..2d5f130 100644
--- a/php.spec
+++ b/php.spec
@@ -131,7 +131,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 5%{?dist}
+Release: 6%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -193,6 +193,7 @@ Patch91: php-5.6.3-oci8conf.patch
Patch100: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch
Patch101: https://github.com/php/php-src/commit/2ef8809ef3beb5f58b81dcff49bdcde4d2cb8426.patch
Patch102: php-openssl-cert.patch
+Patch103: php-bug76846.patch
# Security fixes (200+)
Patch200: php-bug77242.patch
@@ -924,7 +925,7 @@ support for JavaScript Object Notation (JSON) to PHP.
%endif
%patch40 -p1 -b .dlopen
-%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
+%if 0%{?fedora} >= 28 || 0%{?rhel} >= 6
%patch42 -p1 -b .systzdata
%endif
%patch43 -p1 -b .headers
@@ -940,6 +941,7 @@ support for JavaScript Object Notation (JSON) to PHP.
%patch100 -p1 -b .up1
%patch101 -p1 -b .up2
%patch102 -p1 -b .up3
+%patch103 -p1 -b .bug76846
# security patches
%patch200 -p1 -b .bug77242
@@ -998,6 +1000,9 @@ mkdir \
rm ext/date/tests/timezone_location_get.phpt
rm ext/date/tests/timezone_version_get.phpt
rm ext/date/tests/timezone_version_get_basic1.phpt
+rm ext/date/tests/bug33414-1.phpt
+rm ext/date/tests/bug33415-2.phpt
+rm ext/date/tests/date_modify-1.phpt
# fails sometime
rm ext/sockets/tests/mcast_ipv?_recv.phpt
# Should be skipped but fails sometime
@@ -1172,7 +1177,7 @@ ln -sf ../configure
--with-layout=GNU \
--with-kerberos \
--with-libxml-dir=%{_root_prefix} \
-%if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
+%if 0%{?fedora} >= 28 || 0%{?rhel} >= 6
--with-system-tzdata \
%endif
--with-mhash \
@@ -1908,6 +1913,9 @@ EOF
%changelog
+* Fri Mar 15 2019 Remi Collet <remi@remirepo.net> - 7.0.33-6
+- Fix #76846 Segfault in shutdown function after memory limit error
+
* Tue Mar 5 2019 Remi Collet <remi@remirepo.net> - 7.0.33-5
- Fix #77630 rename() across the device may allow unwanted access
during processing