Bug#706082: segfaults in garbage collection

Wed, 24 Apr 2013 07:30:19 -0700 

Package: php5-cli
Version: 5.4.4-15
Severity: important
Tags: patch upstream

Hi

while running testsuite, I quite often get segmentation fault. 

After experimenting with patches, I fould following upstream bugs to
cause my problems:

https://bugs.php.net/bug.php?id=63635
https://bugs.php.net/bug.php?id=63055

Attached is patch which combines these fixes.

-- 
        Michal Čihař | http://cihar.com | http://blog.cihar.com


-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-vserver-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5-cli depends on:
ii  libbz2-1.0        1.0.6-4
ii  libc6             2.13-38
ii  libcomerr2        1.42.5-1.1
ii  libdb5.1          5.1.29-5
ii  libgssapi-krb5-2  1.10.1+dfsg-5
ii  libk5crypto3      1.10.1+dfsg-5
ii  libkrb5-3         1.10.1+dfsg-5
ii  libmagic1         1:5.11-3
ii  libonig2          5.9.1-1
ii  libpcre3          1:8.31-2
ii  libqdbm14         1.8.78-2
ii  libssl1.0.0       1.0.1e-2
ii  libxml2           2.8.0+dfsg1-7+nmu1
ii  mime-support      3.52-2
ii  php5-common       5.4.4-15
ii  tzdata            2013b-2
ii  ucf               3.0025+nmu3
ii  zlib1g            1:1.2.7.dfsg-13

php5-cli recommends no packages.

Versions of packages php5-cli suggests:
ii  php-pear  5.4.4-15

-- no debconf information

--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -644,7 +644,8 @@
 			struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj;
 
 			if (obj->buffered == (gc_root_buffer*)GC_WHITE) {
-				GC_SET_BLACK(obj->buffered);
+				/* PURPLE instead of BLACK to prevent buffering in nested gc calls */
+				GC_SET_PURPLE(obj->buffered);
 
 				if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid &&
 				             (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) {
@@ -715,7 +716,8 @@
 		struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj;
 
 		if (obj->buffered == (gc_root_buffer*)GC_WHITE) {
-			GC_SET_BLACK(obj->buffered);
+			/* PURPLE instead of BLACK to prevent buffering in nested gc calls */
+			GC_SET_PURPLE(obj->buffered);
 
 			if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid &&
 			             (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) {
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -547,8 +547,9 @@
 
 	/* Overwrite the passed-in value for subpatterns with an empty array. */
 	if (subpats != NULL) {
-		zval_dtor(subpats);
+        zval garbage = *subpats;
 		array_init(subpats);
+		zval_dtor(&garbage);
 	}
 
 	subpats_order = global ? PREG_PATTERN_ORDER : 0;

Reply via email to