clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-22 10:27:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix #46222 (Allow indirect modifications of Arrays inside ArrayObject + fix EG(uninitialized_zval_ptr) overwrite)

Browse Source
This commit is contained in:
Etienne Kneuss 2008-10-05 14:20:55 +00:00
parent b5661c4e0c
commit 0d7d9b0540
3 changed files with 49 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -45,6 +45,8 @@ PHP NEWS
(vnegrier at optilian dot com, Ilia)
- Fixed bug #46192 (ArrayObject with objects as storage serialization).
(Etienne)
- Fixed bug #46222 (ArrayObject EG(uninitialized_var_ptr) overwrite).
(Etienne)
02 Sep 2008, PHP 5.3.0 Alpha 2
- Removed special treatment of "/tmp" in sessions for open_basedir.

29
ext/spl/spl_array.c
View File

@ -281,6 +281,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
zval **retval;
long index;
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
/* We cannot get the pointer pointer so we don't allow it here for now
if (check_inherited && intern->fptr_offset_get) {
@ -293,9 +294,17 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
switch(Z_TYPE_P(offset)) {
case IS_STRING:
if (zend_symtable_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset));
return &EG(uninitialized_zval_ptr);
if (zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
if (type == BP_VAR_W || type == BP_VAR_RW) {
zval *value;
ALLOC_INIT_ZVAL(value);
zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval);
return retval;
} else {
zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset));
return &EG(uninitialized_zval_ptr);
}
} else {
return retval;
}
@ -308,9 +317,17 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
} else {
index = Z_LVAL_P(offset);
}
if (zend_hash_index_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), index, (void **) &retval) == FAILURE) {
zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset));
return &EG(uninitialized_zval_ptr);
if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) {
if (type == BP_VAR_W || type == BP_VAR_RW) {
zval *value;
ALLOC_INIT_ZVAL(value);
zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL);
zend_hash_index_find(ht, index, (void **) &retval);
return retval;
} else {
zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset));
return &EG(uninitialized_zval_ptr);
}
} else {
return retval;
}

24
ext/spl/tests/array_026.phpt Normal file
View File

@ -0,0 +1,24 @@
--TEST--
SPL: ArrayObject indirect offsetGet overwriting EG(uninitialized_zvar_ptr)
--FILE--
<?php
$test = new ArrayObject();
$test['d1']['d2'] = 'hello';
$test['d1']['d3'] = 'world';
var_dump($test, $test3['mmmmm']);
?>
--EXPECTF--
Notice: Undefined variable: test3 in %s%earray_026.php on line %d
object(ArrayObject)#%d (1) {
["storage":"ArrayObject":private]=>
array(1) {
["d1"]=>
array(2) {
["d2"]=>
string(5) "hello"
["d3"]=>
string(5) "world"
}
}
}
NULL