From f07b41b465a5bb314a2d3b2bf309828e2dd7e299 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 19 Aug 2014 14:20:56 +0200 Subject: [PATCH 1/3] fix incompatible types --- ext/session/session.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ext/session/session.c b/ext/session/session.c index b03cfaa6144..1a678b8ddbc 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -1266,12 +1266,13 @@ static void php_session_remove_cookie(TSRMLS_D) { zend_llist *l = &SG(sapi_headers).headers; zend_llist_element *next; zend_llist_element *current; - char *session_cookie, *e_session_name; + char *session_cookie; + zend_string *e_session_name; int session_cookie_len, len = sizeof("Set-Cookie")-1; e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name))); - spprintf(&session_cookie, 0, "Set-Cookie: %s=", e_session_name); - efree(e_session_name); + spprintf(&session_cookie, 0, "Set-Cookie: %s=", e_session_name->val); + STR_FREE(e_session_name); session_cookie_len = strlen(session_cookie); current = l->head; From 14439b79b474317f4c5c90bbca551ec3a1a5c505 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 20 Aug 2014 00:00:59 +0400 Subject: [PATCH 2/3] Fixed referenced value separation --- Zend/zend_vm_def.h | 5 ++++- Zend/zend_vm_execute.h | 20 ++++++++++++++++---- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 7749197a749..34e317c9c00 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -4547,7 +4547,10 @@ ZEND_VM_HANDLER(77, ZEND_FE_RESET, CONST|TMP|VAR|CV, ANY) ZVAL_UNREF(array_ref); array_ptr = array_ref; } - if (Z_IMMUTABLE_P(array_ptr)) { + if (Z_IMMUTABLE_P(array_ptr) || + (Z_ISREF_P(array_ref) && + Z_REFCOUNTED_P(array_ptr) && + Z_REFCOUNT_P(array_ptr) > 1)) { zval_copy_ctor(array_ptr); } Z_ADDREF_P(array_ref); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index c2e59c14411..ad879ed7773 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -3161,7 +3161,10 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_A ZVAL_UNREF(array_ref); array_ptr = array_ref; } - if (Z_IMMUTABLE_P(array_ptr)) { + if (Z_IMMUTABLE_P(array_ptr) || + (Z_ISREF_P(array_ref) && + Z_REFCOUNTED_P(array_ptr) && + Z_REFCOUNT_P(array_ptr) > 1)) { zval_copy_ctor(array_ptr); } Z_ADDREF_P(array_ref); @@ -8678,7 +8681,10 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARG ZVAL_UNREF(array_ref); array_ptr = array_ref; } - if (Z_IMMUTABLE_P(array_ptr)) { + if (Z_IMMUTABLE_P(array_ptr) || + (Z_ISREF_P(array_ref) && + Z_REFCOUNTED_P(array_ptr) && + Z_REFCOUNT_P(array_ptr) > 1)) { zval_copy_ctor(array_ptr); } Z_ADDREF_P(array_ref); @@ -14118,7 +14124,10 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARG ZVAL_UNREF(array_ref); array_ptr = array_ref; } - if (Z_IMMUTABLE_P(array_ptr)) { + if (Z_IMMUTABLE_P(array_ptr) || + (Z_ISREF_P(array_ref) && + Z_REFCOUNTED_P(array_ptr) && + Z_REFCOUNT_P(array_ptr) > 1)) { zval_copy_ctor(array_ptr); } Z_ADDREF_P(array_ref); @@ -31476,7 +31485,10 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS ZVAL_UNREF(array_ref); array_ptr = array_ref; } - if (Z_IMMUTABLE_P(array_ptr)) { + if (Z_IMMUTABLE_P(array_ptr) || + (Z_ISREF_P(array_ref) && + Z_REFCOUNTED_P(array_ptr) && + Z_REFCOUNT_P(array_ptr) > 1)) { zval_copy_ctor(array_ptr); } Z_ADDREF_P(array_ref); From cbe1597b747474388912c91018b0e12275784720 Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Tue, 19 Aug 2014 12:46:53 -0700 Subject: [PATCH 3/3] Switch use of strtok() to gd_strtok_r() strtok() is not thread safe, so this will potentially break in very bad ways if used in ZTS mode. I'm not sure why gd_strtok_r() exists since it seems to do the same thing as strtok_r(), but I'll assume it's a portability decision and do as the Romans do. --- NEWS | 3 +++ ext/gd/libgd/gdft.c | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index f515bbe57c7..5df40324da6 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,9 @@ PHP NEWS - Date: . Fixed bug #66091 (memory leaks in DateTime constructor). (Tjerk). +- GD + . Made fontFetch's path parser thread-safe. (Sara). + ?? ??? 2014, PHP 5.4.32 - COM: diff --git a/ext/gd/libgd/gdft.c b/ext/gd/libgd/gdft.c index ac2bf344ffe..884a4148fe8 100644 --- a/ext/gd/libgd/gdft.c +++ b/ext/gd/libgd/gdft.c @@ -370,9 +370,10 @@ static void *fontFetch (char **error, void *key) fontlist = gdEstrdup(a->fontlist); /* - * Must use gd_strtok_r else pointer corrupted by strtok in nested loop. + * Must use gd_strtok_r becasuse strtok() isn't thread safe */ for (name = gd_strtok_r (fontlist, LISTSEPARATOR, &strtok_ptr); name; name = gd_strtok_r (0, LISTSEPARATOR, &strtok_ptr)) { + char *strtok_ptr_path; /* make a fresh copy each time - strtok corrupts it. */ path = gdEstrdup (fontsearchpath); @@ -388,7 +389,8 @@ static void *fontFetch (char **error, void *key) break; } } - for (dir = strtok (path, PATHSEPARATOR); dir; dir = strtok (0, PATHSEPARATOR)) { + for (dir = gd_strtok_r (path, PATHSEPARATOR, &strtok_ptr_path); dir; + dir = gd_strtok_r (0, PATHSEPARATOR, &strtok_ptr_path)) { if (!strcmp(dir, ".")) { TSRMLS_FETCH(); #if HAVE_GETCWD