mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Fixed bug #73900
This commit is contained in:
parent
de66e80d75
commit
2fddc4a7f1
1
NEWS
1
NEWS
@ -6,6 +6,7 @@ PHP NEWS
|
||||
. Fixed bug #74780 (parse_url() borken when query string contains colon).
|
||||
(jhdxr)
|
||||
. Fixed bug #74761 (Unary operator expected error on some systems). (petk)
|
||||
. Fixed bug #73900 (Use After Free in unserialize() SplFixedArray). (nikic)
|
||||
|
||||
- SPL:
|
||||
. Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)
|
||||
|
15
Zend/tests/bug73900.phpt
Normal file
15
Zend/tests/bug73900.phpt
Normal file
@ -0,0 +1,15 @@
|
||||
--TEST--
|
||||
Bug #73900: Use After Free in unserialize() SplFixedArray
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
$a = new stdClass;
|
||||
$b = new SplFixedArray(1);
|
||||
$b[0] = $a;
|
||||
$c = &$b[0];
|
||||
var_dump($c);
|
||||
|
||||
?>
|
||||
--EXPECT--
|
||||
object(stdClass)#1 (0) {
|
||||
}
|
@ -1758,16 +1758,9 @@ convert_to_array:
|
||||
zend_error(E_NOTICE, "Indirect modification of overloaded element of %s has no effect", ZSTR_VAL(ce->name));
|
||||
} else if (EXPECTED(retval && Z_TYPE_P(retval) != IS_UNDEF)) {
|
||||
if (!Z_ISREF_P(retval)) {
|
||||
if (Z_REFCOUNTED_P(retval) &&
|
||||
Z_REFCOUNT_P(retval) > 1) {
|
||||
if (Z_TYPE_P(retval) != IS_OBJECT) {
|
||||
Z_DELREF_P(retval);
|
||||
ZVAL_DUP(result, retval);
|
||||
retval = result;
|
||||
} else {
|
||||
ZVAL_COPY_VALUE(result, retval);
|
||||
retval = result;
|
||||
}
|
||||
if (result != retval) {
|
||||
ZVAL_COPY(result, retval);
|
||||
retval = result;
|
||||
}
|
||||
if (Z_TYPE_P(retval) != IS_OBJECT) {
|
||||
zend_class_entry *ce = Z_OBJCE_P(container);
|
||||
|
Loading…
Reference in New Issue
Block a user