diff options
-rw-r--r-- | php-bug75573.patch | 107 | ||||
-rw-r--r-- | php.spec | 7 |
2 files changed, 113 insertions, 1 deletions
diff --git a/php-bug75573.patch b/php-bug75573.patch new file mode 100644 index 0000000..46cf095 --- /dev/null +++ b/php-bug75573.patch @@ -0,0 +1,107 @@ +From 3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8 Mon Sep 17 00:00:00 2001 +From: Xinchen Hui <laruence@gmail.com> +Date: Wed, 29 Nov 2017 14:46:21 +0800 +Subject: [PATCH] Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26) + +--- + NEWS | 1 + + Zend/tests/bug75573.phpt | 64 +++++++++++++++++++++++++++++++++++++++++++++ + Zend/zend_object_handlers.c | 10 +++---- + 3 files changed, 69 insertions(+), 6 deletions(-) + create mode 100644 Zend/tests/bug75573.phpt + +diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt +new file mode 100644 +index 0000000..476ff6e +--- /dev/null ++++ b/Zend/tests/bug75573.phpt +@@ -0,0 +1,64 @@ ++--TEST-- ++Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26) ++--FILE-- ++<?php ++ ++class A ++{ ++ var $_stdObject; ++ function initialize($properties = FALSE) { ++ $this->_stdObject = $properties ? (object) $properties : new stdClass(); ++ parent::initialize(); ++ } ++ function &__get($property) ++ { ++ if (isset($this->_stdObject->{$property})) { ++ $retval =& $this->_stdObject->{$property}; ++ return $retval; ++ } else { ++ return NULL; ++ } ++ } ++ function &__set($property, $value) ++ { ++ return $this->_stdObject->{$property} = $value; ++ } ++ function __isset($property_name) ++ { ++ return isset($this->_stdObject->{$property_name}); ++ } ++} ++ ++class B extends A ++{ ++ function initialize($properties = array()) ++ { ++ parent::initialize($properties); ++ } ++ function &__get($property) ++ { ++ if (isset($this->settings) && isset($this->settings[$property])) { ++ $retval =& $this->settings[$property]; ++ return $retval; ++ } else { ++ return parent::__get($property); ++ } ++ } ++} ++ ++$b = new B(); ++$b->settings = [ "foo" => "bar", "name" => "abc" ]; ++var_dump($b->name); ++var_dump($b->settings); ++?> ++--EXPECTF-- ++Warning: Creating default object from empty value in %sbug75573.php on line %d ++ ++Notice: Only variable references should be returned by reference in %sbug75573.php on line %d ++string(3) "abc" ++array(2) { ++ ["foo"]=> ++ string(3) "bar" ++ ["name"]=> ++ string(3) "abc" ++} +diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c +index 10045b5..d9ebd84 100644 +--- a/Zend/zend_object_handlers.c ++++ b/Zend/zend_object_handlers.c +@@ -668,13 +668,11 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ + } + zval_ptr_dtor(&tmp_object); + goto exit; +- } else { ++ } else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) { + zval_ptr_dtor(&tmp_object); +- if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) { +- zend_throw_error(NULL, "Cannot access property started with '\\0'"); +- retval = &EG(uninitialized_zval); +- goto exit; +- } ++ zend_throw_error(NULL, "Cannot access property started with '\\0'"); ++ retval = &EG(uninitialized_zval); ++ goto exit; + } + } + +-- +2.1.4 + @@ -126,7 +126,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{?dist} +Release: 2%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -184,6 +184,7 @@ Patch48: php-7.1.9-openssl-load-config.patch Patch91: php-5.6.3-oci8conf.patch # Upstream fixes (100+) +Patch100: php-bug75573.patch # Security fixes (200+) @@ -896,6 +897,7 @@ support for JavaScript Object Notation (JSON) to PHP. %patch91 -p1 -b .remi-oci8 # upstream patches +%patch100 -p1 -b .bug75573 # security patches @@ -1821,6 +1823,9 @@ fi %changelog +* Fri Dec 1 2017 Remi Collet <remi@remirepo.net> - 7.1.12-2 +- add upstream patch for https://bugs.php.net/75573 + * Wed Nov 22 2017 Remi Collet <remi@remirepo.net> - 7.1.12-1 - Update to 7.1.12 - http://www.php.net/releases/7_1_12.php |