clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 18:07:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix #77298: segfault occurs when add property to unserialized empty ArrayObject

Browse Source
This commit is contained in:
CHU Zhaowei 2018-12-19 16:53:48 +01:00 committed by Christoph M. Becker
parent 95193c3872
commit b15189f4d8
3 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -2,6 +2,10 @@ PHP NEWS
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 7.3.2 ?? ??? ????, PHP 7.3.2
- SPL:
. Fixed bug #77298 (segfault occurs when add property to unserialized empty
ArrayObject). (jhdxr)
03 Jan 2019, PHP 7.3.1 03 Jan 2019, PHP 7.3.1
- Core: - Core:

4
ext/spl/spl_array.c
View File

@ -1842,7 +1842,9 @@ SPL_METHOD(Array, unserialize)
if (Z_TYPE_P(array) == IS_ARRAY) { if (Z_TYPE_P(array) == IS_ARRAY) {
zval_ptr_dtor(&intern->array); zval_ptr_dtor(&intern->array);
ZVAL_COPY(&intern->array, array); ZVAL_COPY_VALUE(&intern->array, array);
ZVAL_NULL(array);
SEPARATE_ARRAY(&intern->array);
} else { } else {
spl_array_set_array(object, intern, array, 0L, 1); spl_array_set_array(object, intern, array, 0L, 1);
} }

28
ext/spl/tests/bug77298.phpt Normal file
View File

@ -0,0 +1,28 @@
--TEST--
Bug #77298 (segfault occurs when add property to unserialized ArrayObject)
--FILE--
<?php
$o = new ArrayObject();
$o2 = unserialize(serialize($o));
$o2[1]=123;
var_dump($o2);
$o3 = new ArrayObject();
$o3->unserialize($o->serialize());
$o3['xm']=456;
var_dump($o3);
--EXPECT--
object(ArrayObject)#2 (1) {
["storage":"ArrayObject":private]=>
array(1) {
[1]=>
int(123)
}
}
object(ArrayObject)#3 (1) {
["storage":"ArrayObject":private]=>
array(1) {
["xm"]=>
int(456)
}
}