Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88025 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83061 invoked from network); 3 Sep 2015 08:21:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Sep 2015 08:21:19 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.179 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.179 mail-yk0-f179.google.com Received: from [209.85.160.179] ([209.85.160.179:33146] helo=mail-yk0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/45-53181-EF208E55 for ; Thu, 03 Sep 2015 04:21:18 -0400 Received: by ykei199 with SMTP id i199so36014816yke.0 for ; Thu, 03 Sep 2015 01:21:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=oEm6Y106Hmh6QlE6BqxRE69rzNOC8YU76ClDYcf/2Dg=; b=BFzEIaFktWE8vV9SHP6YFwJZpZNQhTCsgAi+9H+yuKrAos7vr+1Af9UgZc7hX2e8Fy oklaLv858sx57EWXU6avWD7mSOtZKG/JRnbD2w/1HjWdnuJVIW4hQWwLa9Qz+N6tbiZC evMndEwjclfDz226CtksZ8+wLmFNcO5xQpR6YKLfekkSUMtGeVAY6pMxWpLi5s3zy/CO Bdt0NsMHLXA43Jf8hsOQGU40n+ojUW2K4F9aP/EUtq+5FNRwUV3r83BzI10cnkG3ZBgm +tEdZKJQksaZfGOGgRwm+E5UntYGoLnY5s5Txv6dAkMtHsRiU3VrkwTqcP+esFuOddyO 7WsQ== X-Received: by 10.129.103.5 with SMTP id b5mr39667534ywc.55.1441268476293; Thu, 03 Sep 2015 01:21:16 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.57.215 with HTTP; Thu, 3 Sep 2015 01:20:36 -0700 (PDT) In-Reply-To: <55E7D2E5.50104@gmail.com> References: <55E610C1.1000203@gmail.com> <55E7D2E5.50104@gmail.com> Date: Thu, 3 Sep 2015 17:20:36 +0900 X-Google-Sender-Auth: c5xqqcSYf__ptl0UMzgzwMw8T5s Message-ID: To: Stanislav Malyshev Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Heads up: merging security patches to 7 From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Thu, Sep 3, 2015 at 1:56 PM, Stanislav Malyshev wrote: >> I see number of var_push_dtor() to fix unserialization. >> var_push_dtor() or var_push_dtor_no_addref() is required always when >> php_var_unserialize() is failed. >> Am I correct? > > Not necessarily. Basically, what happens is that when you do > php_var_unserialize() the value you unserialize gets a slot in the > reference table. So if you are destroying it and some serialization part > later tries to access it - boom! That's where var_push_* comes in. The > first one adds refcount so even if everybody drops references to it the > value still survives. The second is used when we know no code uses this > value, so no need to add refcount - only thing that should keep it alive > is that it's still in the refs table (except for the case where it is > taken from the table by r: or R: - then its refcount is bumped). > > Now the failure is tricky case - generally after the failure we need to > bail out ASAP, but that failure may not be the final failure - > serializes can be nested. So we may want to keep the values around even > if our unserialize fails, because encompassing serialize may still > reference that variable, since we may have already put it in the refs > table. We could make serialize failure a fatal error, but that'd be > pretty big BC break (exception wouldn't work, we'd need full blown fatal > E_ERROR). > > In general, the idea is that anything that was put in reference table > (namely, anything that passed through php_var_unserialize()) should be > kept alive until the end of unserialize() call. Which means it should be > put to dtor list via var_push_dtor() or var_push_dtor_no_addref(). > > Now, that all was true for PHP 5. For PHP 7, the matter are more > complicated as the lists now keep zvals and not zval *, and I'm not 100% > sure yet what that means. I need to look into it and figure out. Thank you for the detailed explanation! It's very helpful and it seems I'm better to wait for unserialize() patch. I'll finish other parts first. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net