You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@thrift.apache.org by jk...@apache.org on 2017/02/23 16:44:51 UTC
thrift git commit: THRIFT-3984 PHP7 extension causes segfault
Repository: thrift
Updated Branches:
refs/heads/master 37aac3bb5 -> e66b8fcde
THRIFT-3984 PHP7 extension causes segfault
The PHP 7 extension can sometimes free strings it does not own,
when serializing string map keys, or the name of called methods.
The latter case was somewhat migitated since the double-free has no
effect on interned strings.
Using ZVAL_STR_COPY instead of ZVAL_STR will increment the reference
count, making the following destructor call correct.
Fix memory leak in PHP 7
Fix memory leak when deserializing maps or sets.
zend_hash_update will add its own reference to the key, so we need to
destruct the key zval to not leak.
We don't need to destruct the value, the hash table will take ownership
of it.
This closes #1152
Project: http://git-wip-us.apache.org/repos/asf/thrift/repo
Commit: http://git-wip-us.apache.org/repos/asf/thrift/commit/e66b8fcd
Tree: http://git-wip-us.apache.org/repos/asf/thrift/tree/e66b8fcd
Diff: http://git-wip-us.apache.org/repos/asf/thrift/diff/e66b8fcd
Branch: refs/heads/master
Commit: e66b8fcde3922ab9244908d9ca27d5084536e168
Parents: 37aac3b
Author: H�kon Hitland <ha...@zedge.net>
Authored: Mon Dec 5 18:42:41 2016 +0100
Committer: James E. King, III <jk...@apache.org>
Committed: Thu Feb 23 11:43:45 2017 -0500
----------------------------------------------------------------------
.../thrift_protocol/php_thrift_protocol7.cpp | 6 ++-
test/php/TestClient.php | 47 +++++++++++++++++++-
2 files changed, 50 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/thrift/blob/e66b8fcd/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
----------------------------------------------------------------------
diff --git a/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp b/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
index 13cdf22..da5b3de 100644
--- a/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
+++ b/lib/php/src/ext/thrift_protocol/php_thrift_protocol7.cpp
@@ -596,6 +596,7 @@ void binary_deserialize(int8_t thrift_typeID, PHPInputTransport& transport, zval
if (Z_TYPE(key) != IS_STRING) convert_to_string(&key);
zend_symtable_update(Z_ARR_P(return_value), Z_STR(key), &value);
}
+ zval_dtor(&key);
}
return; // return_value already populated
}
@@ -636,6 +637,7 @@ void binary_deserialize(int8_t thrift_typeID, PHPInputTransport& transport, zval
if (Z_TYPE(key) != IS_STRING) convert_to_string(&key);
zend_symtable_update(Z_ARR_P(return_value), Z_STR(key), &value);
}
+ zval_dtor(&key);
}
return;
}
@@ -665,7 +667,7 @@ void binary_serialize_hashtable_key(int8_t keytype, PHPOutputTransport& transpor
} else {
char buf[64];
if (res == HASH_KEY_IS_STRING) {
- ZVAL_STR(&z, key);
+ ZVAL_STR_COPY(&z, key);
} else {
snprintf(buf, 64, "%ld", index);
ZVAL_STRING(&z, buf);
@@ -822,7 +824,7 @@ void protocol_writeMessageBegin(zval* transport, zend_string* method_name, int32
zval ret;
zval writeMessagefn;
- ZVAL_STR(&args[0], method_name);
+ ZVAL_STR_COPY(&args[0], method_name);
ZVAL_LONG(&args[1], msgtype);
ZVAL_LONG(&args[2], seqID);
ZVAL_NULL(&ret);
http://git-wip-us.apache.org/repos/asf/thrift/blob/e66b8fcd/test/php/TestClient.php
----------------------------------------------------------------------
diff --git a/test/php/TestClient.php b/test/php/TestClient.php
index c1f6435..76fd935 100755
--- a/test/php/TestClient.php
+++ b/test/php/TestClient.php
@@ -266,6 +266,39 @@ if ($mapin != $mapout) {
$exitcode |= ERR_CONTAINERS;
}
+$mapout = array();
+for ($i = 0; $i < 10; $i++) {
+ $mapout["key$i"] = "val$i";
+}
+print_r('testStringMap({');
+$first = true;
+foreach ($mapout as $key => $val) {
+ if ($first) {
+ $first = false;
+ } else {
+ print_r(", ");
+ }
+ print_r("\"$key\" => \"$val\"");
+}
+print_r("})");
+$mapin = $testClient->testStringMap($mapout);
+print_r(" = {");
+$first = true;
+foreach ($mapin as $key => $val) {
+ if ($first) {
+ $first = false;
+ } else {
+ print_r(", ");
+ }
+ print_r("\"$key\" => \"$val\"");
+}
+print_r("}\n");
+ksort($mapin);
+if ($mapin != $mapout) {
+ echo "**FAILED**\n";
+ $exitcode |= ERR_CONTAINERS;
+}
+
/**
* SET TEST
*/
@@ -459,7 +492,6 @@ try {
print_r(' caught xception '.$x->errorCode.': '.$x->message."\n");
}
-
/**
* Normal tests done.
*/
@@ -472,6 +504,19 @@ print_r("Total time: $elp ms\n");
* Extraneous "I don't trust PHP to pack/unpack integer" tests
*/
+if ($protocol instanceof TBinaryProtocolAccelerated) {
+ // Regression check: check that method name is not double-freed
+ // Method name should not be an interned string.
+ $method_name = "Void";
+ $method_name = "test$method_name";
+
+ $seqid = 0;
+ $args = new \ThriftTest\ThriftTest_testVoid_args();
+ thrift_protocol_write_binary($protocol, $method_name, \Thrift\Type\TMessageType::CALL, $args, $seqid, $protocol->isStrictWrite());
+ $testClient->recv_testVoid();
+
+}
+
// Max I32
$num = pow(2, 30) + (pow(2, 30) - 1);
roundtrip($testClient, 'testI32', $num);