Skip to content

Commit 375ef3a

Browse files
author
Sascha Schumann
committed
Back out severely broken patch. I currently don't have the time
to debug this. Please reapply a fixed version.
1 parent d5d7cf7 commit 375ef3a

File tree

1 file changed

+16
-9
lines changed

1 file changed

+16
-9
lines changed

ext/session/session.c

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -234,9 +234,15 @@ typedef struct {
234234

235235
void php_set_session_var(char *name, size_t namelen, zval *state_val PSLS_DC)
236236
{
237+
zval *state_val_copy;
237238
PLS_FETCH();
238239
ELS_FETCH();
239240

241+
ALLOC_ZVAL(state_val_copy);
242+
*state_val_copy = *state_val;
243+
zval_copy_ctor(state_val_copy);
244+
state_val_copy->refcount = 0;
245+
240246
if (PG(register_globals)) {
241247
zval **old_symbol;
242248
if(zend_hash_find(&EG(symbol_table),name,namelen+1,(void *)&old_symbol) == SUCCESS) {
@@ -247,14 +253,15 @@ void php_set_session_var(char *name, size_t namelen, zval *state_val PSLS_DC)
247253
of a global variable) dangling.
248254
*/
249255

250-
REPLACE_ZVAL_VALUE(old_symbol,state_val,0);
256+
REPLACE_ZVAL_VALUE(old_symbol,state_val_copy,0);
257+
FREE_ZVAL(state_val_copy);
251258

252259
zend_set_hash_symbol(*old_symbol, name, namelen, 1, 1, Z_ARRVAL_P(PS(http_session_vars)));
253260
} else {
254-
zend_set_hash_symbol(state_val, name, namelen, 1, 2, Z_ARRVAL_P(PS(http_session_vars)), &EG(symbol_table));
261+
zend_set_hash_symbol(state_val_copy, name, namelen, 1, 2, Z_ARRVAL_P(PS(http_session_vars)), &EG(symbol_table));
255262
}
256263
} else {
257-
zend_set_hash_symbol(state_val, name, namelen, 0, 1, Z_ARRVAL_P(PS(http_session_vars)));
264+
zend_set_hash_symbol(state_val_copy, name, namelen, 0, 1, Z_ARRVAL_P(PS(http_session_vars)));
258265
}
259266
}
260267

@@ -322,6 +329,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
322329

323330
PHP_VAR_UNSERIALIZE_INIT(var_hash);
324331

332+
MAKE_STD_ZVAL(current);
325333
for (p = val; p < endptr; ) {
326334
namelen = *p & (~PS_BIN_UNDEF);
327335
has_value = *p & PS_BIN_UNDEF ? 0 : 1;
@@ -331,16 +339,15 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
331339
p += namelen + 1;
332340

333341
if (has_value) {
334-
MAKE_STD_ZVAL(current);
335342
if (php_var_unserialize(&current, &p, endptr, &var_hash)) {
336343
php_set_session_var(name, namelen, current PSLS_CC);
344+
zval_dtor(current);
337345
}
338-
zval_ptr_dtor(&current);
339346
}
340347
PS_ADD_VARL(name, namelen);
341348
efree(name);
342349
}
343-
350+
FREE_ZVAL(current);
344351
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
345352

346353
return SUCCESS;
@@ -398,6 +405,7 @@ PS_SERIALIZER_DECODE_FUNC(php)
398405

399406
PHP_VAR_UNSERIALIZE_INIT(var_hash);
400407

408+
MAKE_STD_ZVAL(current);
401409
for (p = q = val; (p < endptr) && (q = memchr(p, PS_DELIMITER, endptr - p)); p = q) {
402410
if (p[0] == PS_UNDEF_MARKER) {
403411
p++;
@@ -411,18 +419,17 @@ PS_SERIALIZER_DECODE_FUNC(php)
411419
q++;
412420

413421
if (has_value) {
414-
MAKE_STD_ZVAL(current);
415422
if (php_var_unserialize(&current, &q, endptr, &var_hash)) {
416423
php_set_session_var(name, namelen, current PSLS_CC);
424+
zval_dtor(current);
417425
}
418-
zval_ptr_dtor(&current);
419426
}
420427
PS_ADD_VARL(name, namelen);
421428
efree(name);
422429
}
430+
FREE_ZVAL(current);
423431

424432
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
425-
426433
return SUCCESS;
427434
}
428435

0 commit comments

Comments
 (0)