Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:88019
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60443 invoked from network); 3 Sep 2015 04:56:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Sep 2015 04:56:22 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.46 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.46 mail-pa0-f46.google.com  
Received: from [209.85.220.46] ([209.85.220.46:34366] helo=mail-pa0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1B/41-53181-5F2D7E55 for <internals@lists.php.net>; Thu, 03 Sep 2015 00:56:22 -0400
Received: by padhy1 with SMTP id hy1so34170274pad.1
        for <internals@lists.php.net>; Wed, 02 Sep 2015 21:56:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-type:content-transfer-encoding;
        bh=YKYizaKdWvlvI0Nq4H84hOkKsqTi0nR+F0bJPu30vlY=;
        b=skybVkmDbWkzA1evUsbht59ZWJlz22HQ7ICOGBULuQHAdwv40qgNvdycQFP32Od4/F
         5swteE8jIquyjY6yc3OMU6ahq8R1eSIFgtoJaqwPBpAludMcrYdzJ09Kva0N5D6R7Hhm
         HyVjVl5n5JBUsrwyf/CrI1RTg4MK3tCblXveVP1jtTezkP80ZtYcmy8rAbGHolXp0SP5
         M6w5QdfqBFZ0pwyHxnciV/FS9sqLyP1vDM43GClz2N1urwnf9//c6AMELrUJF4x3M4Vj
         sGZKDa+ZDWeBlNcrXYEwLwznB3n6PTvi0TmiinIDjLnbllUgKT1OTWSB1L5/zSCG8rdq
         DrxQ==
X-Received: by 10.66.173.72 with SMTP id bi8mr714678pac.27.1441256178939;
        Wed, 02 Sep 2015 21:56:18 -0700 (PDT)
Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48])
        by smtp.gmail.com with ESMTPSA id gx11sm23496428pbd.82.2015.09.02.21.56.17
        (version=TLSv1/SSLv3 cipher=OTHER);
        Wed, 02 Sep 2015 21:56:18 -0700 (PDT)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
References: <55E610C1.1000203@gmail.com>
 <CAGa2bXa41Jsh4vfNF+r3Mj2mLqPjT-UcgNgGzQ2U-d6MhwoMNw@mail.gmail.com>
 <CAGa2bXZtigz0dPe67HQJQnfjfnSNbnXP6m9Ut80BtXwF-8FUnA@mail.gmail.com>
Cc: PHP Internals <internals@lists.php.net>
X-Enigmail-Draft-Status: N1110
Message-ID: <55E7D2E5.50104@gmail.com>
Date: Wed, 2 Sep 2015 21:56:05 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0)
 Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXZtigz0dPe67HQJQnfjfnSNbnXP6m9Ut80BtXwF-8FUnA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Heads up: merging security patches to 7
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I see number of var_push_dtor() to fix unserialization.
> var_push_dtor() or var_push_dtor_no_addref() is required always when
> php_var_unserialize() is failed.
> Am I correct?

Not necessarily. Basically, what happens is that when you do
php_var_unserialize() the value you unserialize gets a slot in the
reference table. So if you are destroying it and some serialization part
later tries to access it - boom! That's where var_push_* comes in. The
first one adds refcount so even if everybody drops references to it the
value still survives. The second is used when we know no code uses this
value, so no need to add refcount - only thing that should keep it alive
is that it's still in the refs table (except for the case where it is
taken from the table by r: or R: - then its refcount is bumped).

Now the failure is tricky case - generally after the failure we need to
bail out ASAP, but that failure may not be the final failure -
serializes can be nested. So we may want to keep the values around even
if our unserialize fails, because encompassing serialize may still
reference that variable, since we may have already put it in the refs
table. We could make serialize failure a fatal error, but that'd be
pretty big BC break (exception wouldn't work, we'd need full blown fatal
E_ERROR).

In general, the idea is that anything that was put in reference table
(namely, anything that passed through php_var_unserialize()) should be
kept alive until the end of unserialize() call. Which means it should be
put to dtor list via var_push_dtor() or var_push_dtor_no_addref().

Now, that all was true for PHP 5. For PHP 7, the matter are more
complicated as the lists now keep zvals and not zval *, and I'm not 100%
sure yet what that means. I need to look into it and figure out.
-- 
Stas Malyshev
smalyshev@gmail.com