You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@thrift.apache.org by jk...@apache.org on 2017/02/23 16:44:51 UTC

thrift git commit: THRIFT-3984 PHP7 extension causes segfault

Repository: thrift
Updated Branches:
  refs/heads/master 37aac3bb5 -> e66b8fcde


THRIFT-3984 PHP7 extension causes segfault

The PHP 7 extension can sometimes free strings it does not own,
when serializing string map keys, or the name of called methods.
The latter case was somewhat migitated since the double-free has no
effect on interned strings.
Using ZVAL_STR_COPY instead of ZVAL_STR will increment the reference
count, making the following destructor call correct.

Fix memory leak in PHP 7

Fix memory leak when deserializing maps or sets.
zend_hash_update will add its own reference to the key, so we need to
destruct the key zval to not leak.
We don't need to destruct the value, the hash table will take ownership
of it.

This closes #1152


Project: http://git-wip-us.apache.org/repos/asf/thrift/repo
Commit: http://git-wip-us.apache.org/repos/asf/thrift/commit/e66b8fcd
Tree: http://git-wip-us.apache.org/repos/asf/thrift/tree/e66b8fcd
Diff: http://git-wip-us.apache.org/repos/asf/thrift/diff/e66b8fcd

Branch: refs/heads/master
Commit: e66b8fcde3922ab9244908d9ca27d5084536e168
Parents: 37aac3b
Author: H�kon Hitland <ha...@zedge.net>
Authored: Mon Dec 5 18:42:41 2016 +0100
Committer: James E. King, III <jk...@apache.org>
Committed: Thu Feb 23 11:43:45 2017 -0500

----------------------------------------------------------------------
 .../thrift_protocol/php_thrift_protocol7.cpp    |  6 ++-
 test/php/TestClient.php                         | 47 +++++++++++++++++++-
 2 files changed, 50 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/thrift/blob/e66b8fcd/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
----------------------------------------------------------------------
diff --git a/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp b/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
index 13cdf22..da5b3de 100644
--- a/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
+++ b/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
@@ -596,6 +596,7 @@ void binary_deserialize(int8_t thrift_typeID, PHPInputTransport& transport, zval
           if (Z_TYPE(key) != IS_STRING) convert_to_string(&key);
           zend_symtable_update(Z_ARR_P(return_value), Z_STR(key), &value);
         }
+        zval_dtor(&key);
       }
       return; // return_value already populated
     }
@@ -636,6 +637,7 @@ void binary_deserialize(int8_t thrift_typeID, PHPInputTransport& transport, zval
           if (Z_TYPE(key) != IS_STRING) convert_to_string(&key);
           zend_symtable_update(Z_ARR_P(return_value), Z_STR(key), &value);
         }
+        zval_dtor(&key);
       }
       return;
     }
@@ -665,7 +667,7 @@ void binary_serialize_hashtable_key(int8_t keytype, PHPOutputTransport& transpor
   } else {
     char buf[64];
     if (res == HASH_KEY_IS_STRING) {
-      ZVAL_STR(&z, key);
+      ZVAL_STR_COPY(&z, key);
     } else {
       snprintf(buf, 64, "%ld", index);
       ZVAL_STRING(&z, buf);
@@ -822,7 +824,7 @@ void protocol_writeMessageBegin(zval* transport, zend_string* method_name, int32
   zval ret;
   zval writeMessagefn;
 
-  ZVAL_STR(&args[0], method_name);
+  ZVAL_STR_COPY(&args[0], method_name);
   ZVAL_LONG(&args[1], msgtype);
   ZVAL_LONG(&args[2], seqID);
   ZVAL_NULL(&ret);

http://git-wip-us.apache.org/repos/asf/thrift/blob/e66b8fcd/test/php/TestClient.php
----------------------------------------------------------------------
diff --git a/test/php/TestClient.php b/test/php/TestClient.php
index c1f6435..76fd935 100755
--- a/test/php/TestClient.php
+++ b/test/php/TestClient.php
@@ -266,6 +266,39 @@ if ($mapin != $mapout) {
     $exitcode |= ERR_CONTAINERS;
 }
 
+$mapout = array();
+for ($i = 0; $i < 10; $i++) {
+    $mapout["key$i"] = "val$i";
+}
+print_r('testStringMap({');
+$first = true;
+foreach ($mapout as $key => $val) {
+  if ($first) {
+    $first = false;
+  } else {
+    print_r(", ");
+  }
+  print_r("\"$key\" => \"$val\"");
+}
+print_r("})");
+$mapin = $testClient->testStringMap($mapout);
+print_r(" = {");
+$first = true;
+foreach ($mapin as $key => $val) {
+  if ($first) {
+    $first = false;
+  } else {
+    print_r(", ");
+  }
+  print_r("\"$key\" => \"$val\"");
+}
+print_r("}\n");
+ksort($mapin);
+if ($mapin != $mapout) {
+    echo "**FAILED**\n";
+    $exitcode |= ERR_CONTAINERS;
+}
+
 /**
  * SET TEST
  */
@@ -459,7 +492,6 @@ try {
   print_r(' caught xception '.$x->errorCode.': '.$x->message."\n");
 }
 
-
 /**
  * Normal tests done.
  */
@@ -472,6 +504,19 @@ print_r("Total time: $elp ms\n");
  * Extraneous "I don't trust PHP to pack/unpack integer" tests
  */
 
+if ($protocol instanceof TBinaryProtocolAccelerated) {
+    // Regression check: check that method name is not double-freed
+    // Method name should not be an interned string.
+    $method_name = "Void";
+    $method_name = "test$method_name";
+
+    $seqid = 0;
+    $args = new \ThriftTest\ThriftTest_testVoid_args();
+    thrift_protocol_write_binary($protocol, $method_name, \Thrift\Type\TMessageType::CALL, $args, $seqid, $protocol->isStrictWrite());
+    $testClient->recv_testVoid();
+
+}
+
 // Max I32
 $num = pow(2, 30) + (pow(2, 30) - 1);
 roundtrip($testClient, 'testI32', $num);