Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:1920
Return-Path: <thekid@thekid.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22255 invoked from network); 22 May 2003 23:07:08 -0000
Received: from unknown (HELO moutng.kundenserver.de) (212.227.126.188)
  by pb1.pair.com with SMTP; 22 May 2003 23:07:08 -0000
Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 19Iz9O-0003Fl-00; Fri, 23 May 2003 01:07:06 +0200
Received: from [217.80.180.225] (helo=[217.80.180.225])
	by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1)
	id 19Iz9N-0008I4-00; Fri, 23 May 2003 01:07:05 +0200
To: Dmitriy Myshkin <sputnik@reflexx.net>
Cc: internals@lists.php.net
In-Reply-To: <1053644333.53293.21.camel@localhost>
References: <200305211946.h4LJkAj04428@webp5.t3link.com>
	 <1053639840.53293.14.camel@localhost> <1053642025.53293.17.camel@localhost>
	 <1053644333.53293.21.camel@localhost>
Content-Type: multipart/mixed; boundary="=-TOo0xhcbOuX1vmhwbtDN"
Organization: 
Message-ID: <1053644832.53293.25.camel@localhost>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.4 
Date: 23 May 2003 01:07:13 +0200
Subject: Re: [PHP-DEV] severe serialize problem
From: thekid@thekid.de (Timm Friebe)

--=-TOo0xhcbOuX1vmhwbtDN
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Fri, 2003-05-23 at 00:58, Timm Friebe wrote:
> On Fri, 2003-05-23 at 00:20, Timm Friebe wrote:
> > On Thu, 2003-05-22 at 23:44, Timm Friebe wrote:
> > [...]
> > > These patches to php_incomplete_class.h and var_unserializer.re, though
> > > not thoroughly tested, fix this.
> > 
> > Here's a patch to php_incomplete_class.h with corrected whitespace. Some
> > lines were indented with spaces instead of tabs...
> 
> While I'm at it: This patch also gets rid of memory leaks that occur
> when using the unserialize_callback_func ini directive.

And this one gets rid of *all* of them. Sorry for all the spam here:)

Test script used:
<?php
  function autoload($fqcn) {
    list($namespace, $class)= explode('::', $fqcn);
    if ('power' == $namespace) {
      eval('namespace '.$namespace.' { class '.$class.' {}}');
    }
  }
  
  namespace Foo:Baz { 
    class Bar { } 
  } 
  
  class Baz { } 
  
  $bar= new Foo:Baz::Bar(); 
  var_dump($bar, serialize($bar), unserialize(serialize($bar)));
  
  $baz= new Baz();
  var_dump(serialize($baz), unserialize(serialize($baz)));
  
  var_dump(unserialize('O:7:"Binford":0:{}'));

  ini_set('unserialize_callback_func', 'autoload');
  var_dump(unserialize('O:14:"Power::Binford":0:{}'));
  var_dump(unserialize('O:14:"Idiot::Binford":0:{}'));
?>

- Timm

--=-TOo0xhcbOuX1vmhwbtDN
Content-Disposition: attachment; filename=var_unserializer.re.diff
Content-Type: text/x-patch; name=var_unserializer.re.diff; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Index: ext/standard/var_unserializer.c
===================================================================
RCS file: /repository/php4/ext/standard/var_unserializer.c,v
retrieving revision 1.22
diff -u -r1.22 var_unserializer.c
--- ext/standard/var_unserializer.c	18 May 2003 12:09:08 -0000	1.22
+++ ext/standard/var_unserializer.c	22 May 2003 23:05:48 -0000
@@ -1,5 +1,5 @@
-/* Generated by re2c 0.5 on Sun May 18 14:06:59 2003 */
-#line 1 "/usr/src/php5/ext/standard/var_unserializer.re"
+/* Generated by re2c 0.5 on Fri May 23 01:01:59 2003 */
+#line 1 "/usr/home/thekid/devel/php/php5/ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
   | PHP Version 4                                                        |
@@ -18,7 +18,7 @@
   +----------------------------------------------------------------------+
 */
 
-/* $Id: var_unserializer.c,v 1.22 2003/05/18 12:09:08 helly Exp $ */
+/* $Id: var_unserializer.re,v 1.14 2003/05/18 12:08:51 helly Exp $ */
 
 #include "php.h"
 #include "ext/standard/php_var.h"
@@ -339,7 +339,7 @@
 	yych = *(YYMARKER = ++YYCURSOR);
 	if(yych == ':')	goto yy74;
 yy4:
-#line 430
+#line 441
 	{ return 0; }
 yy5:	yych = *++YYCURSOR;
 	if(yych == ';')	goto yy72;
@@ -374,7 +374,7 @@
 	goto yy4;
 yy13:	yych = *++YYCURSOR;
 yy14:
-#line 424
+#line 435
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
@@ -405,6 +405,7 @@
 	int len2;
 	char *class_name;
 	zend_class_entry *ce;
+	zend_class_entry **pce;
 	int incomplete_class = 0;
 	
 	zval *user_func;
@@ -425,50 +426,60 @@
 			class_name[len] = class_name[len] - 'A' + 'a';
 		}
 	}
-
-	if (zend_hash_find(CG(class_table), class_name, len2 + 1, (void **) &ce) != SUCCESS) {
+	
+	do {
+		/* Try to find class directly */
+		if (zend_lookup_ns_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
+			ce = *pce;
+			break;
+		}
+		
+		/* Check for unserialize callback */
 		if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
 			incomplete_class = 1;
 			ce = PHP_IC_ENTRY;
+			break;
+		}
+		
+		/* Call unserialize callback */
+		MAKE_STD_ZVAL(user_func);
+		ZVAL_STRING(user_func, PG(unserialize_callback_func), 1);
+		args[0] = &arg_func_name;
+		MAKE_STD_ZVAL(arg_func_name);
+		ZVAL_STRING(arg_func_name, class_name, 1);
+		if (call_user_function_ex(CG(function_table), NULL, user_func, &retval_ptr, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "defined (%s) but not found", user_func->value.str.val);
+			incomplete_class = 1;
+			ce = PHP_IC_ENTRY;
+			zval_ptr_dtor(&user_func);
+			zval_ptr_dtor(&arg_func_name);
+			break;
+		}
+		if (retval_ptr) {
+			zval_ptr_dtor(&retval_ptr);
+		}
+		
+		/* The callback function may have defined the class */
+		if (zend_lookup_ns_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
+			ce = *pce;
 		} else {
-			MAKE_STD_ZVAL(user_func);
-			ZVAL_STRING(user_func, PG(unserialize_callback_func), 1);
-
-			args[0] = &arg_func_name;
-			MAKE_STD_ZVAL(arg_func_name);
-			ZVAL_STRING(arg_func_name, class_name, 1);
-				
-			if (call_user_function_ex(CG(function_table), NULL, user_func, &retval_ptr, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) {
-				php_error_docref(NULL TSRMLS_CC, E_WARNING, "defined (%s) but not found", user_func->value.str.val);
-				incomplete_class = 1;
-				ce = PHP_IC_ENTRY;
-			} else {
-				if (zend_hash_find(CG(class_table), class_name, len2 + 1, (void **) &ce) != SUCCESS) {
-					php_error_docref(NULL TSRMLS_CC, E_WARNING, "(%s) hasn't defined the class it was called for", user_func->value.str.val);
-					incomplete_class = 1;
-					ce = PHP_IC_ENTRY;
-				} else {
-#ifdef ZEND_ENGINE_2
-					ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
-#endif	
-					efree(class_name);
-				}
-			}
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "(%s) hasn't defined the class it was called for", user_func->value.str.val);
+			incomplete_class = 1;
+			ce = PHP_IC_ENTRY;
 		}
-	} else {
-#ifdef ZEND_ENGINE_2
-		ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
-#endif	
-		efree(class_name);
-	}
 
+		zval_ptr_dtor(&user_func);
+		zval_ptr_dtor(&arg_func_name);
+		break;
+	} while (1);
+	
 	*p = YYCURSOR;
 	elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
 
 	if (incomplete_class) {
 		php_store_class_name(*rval, class_name, len2);
-		efree(class_name);
 	}
+	efree(class_name);
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
@@ -797,7 +808,7 @@
 	return 1;
 }
 }
-#line 432
+#line 443
 
 
 	return 0;

--=-TOo0xhcbOuX1vmhwbtDN--