Fixed a possible memory corruption in pack(). Reported by Stefan Esser

NEWS

@@ -26,6 +26,8 @@ PHP                                                                        NEWS
 - Fixed a possible memory corruption because of unexpected call-time pass by
   refernce and following memory clobbering through callbacks.
   Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in pack(). Reported by Stefan Esser
+  (Dmitry)
 - Fixed a possible memory corruption in substr_replace(). Reported by Stefan    
   Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan    

ext/standard/pack.c

@@ -121,6 +121,9 @@ PHP_FUNCTION(pack)
 		return;
 	}
 
+	if (Z_ISREF_PP(argv[0])) {
+		SEPARATE_ZVAL(argv[0]);
+	}
 	convert_to_string_ex(argv[0]);
 
 	format = Z_STRVAL_PP(argv[0]);
@@ -179,6 +182,9 @@ PHP_FUNCTION(pack)
 				}
 
 				if (arg < 0) {
+					if (Z_ISREF_PP(argv[currentarg])) {
+						SEPARATE_ZVAL(argv[currentarg]);
+					}
 					convert_to_string_ex(argv[currentarg]);
 					arg = Z_STRLEN_PP(argv[currentarg]);
 				}
@@ -312,6 +318,9 @@ PHP_FUNCTION(pack)
 			case 'A': 
 				memset(&output[outputpos], (code == 'a') ? '\0' : ' ', arg);
 				val = argv[currentarg++];
+				if (Z_ISREF_PP(val)) {
+					SEPARATE_ZVAL(val);
+				}
 				convert_to_string_ex(val);
 				memcpy(&output[outputpos], Z_STRVAL_PP(val),
 					   (Z_STRLEN_PP(val) < arg) ? Z_STRLEN_PP(val) : arg);
@@ -325,6 +334,9 @@ PHP_FUNCTION(pack)
 				char *v;
 
 				val = argv[currentarg++];
+				if (Z_ISREF_PP(val)) {
+					SEPARATE_ZVAL(val);
+				}
 				convert_to_string_ex(val);
 				v = Z_STRVAL_PP(val);
 				outputpos--;