archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GH-17736: Assertion failure zend_reference_destroy()

Browse source 
The cache slot for FETCH_OBJ_W in function `test` is primed with the
class for C. The next call uses a simplexml instance and reuses the same
cache slot. simplexml's get_property_ptr handler does not use the cache
slot, so the old values remain in the cache slot. When
`zend_handle_fetch_obj_flags` is called this is not guarded by a check
for the class entry. So we end up using the prop_info from the property
C::$a instead of the simplexml property.

This patch adds a reset to the cache slots in the property address fetch
code and also in the extensions with a non-standard reference handler.
This keeps the run time cache consistent and avoids the issue without
complicating the fast paths.

Closes GH-17739.
This commit is contained in:
Niels Dossche 2025-02-08 12:44:58 +01:00
parent 6bb56fe0cf
commit ce8ab5f16a
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
11 changed files with 37 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ext/zip/php_zip.c
View file

@ -890,6 +890,8 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
zval *retval = NULL;
zip_prop_handler *hnd = NULL;
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
obj = php_zip_fetch_object(object);
if (obj->prop_handler != NULL) {