mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
php_add_var_hash() uses sizeof(id) in the calls to zend_hash_*, implying
that all bytes in the character array have been set (they are used to compute the hash value using hashpjw). The function assumes that sprintf's %p modifier would always prefix the output with "0x". On HPUX, this is not the case. Hence, not all bytes may be properly initialized before being read. This has been addressed by using only initialized bytes as the key.
This commit is contained in:
parent
426d4104ea
commit
dbb3402c0f
@ -161,7 +161,7 @@ inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old) {
|
||||
snprintf(id,sizeof(id)-1, "%p", var);
|
||||
id[sizeof(id)-1]='\0';
|
||||
|
||||
if(var_old && zend_hash_find(var_hash, id, sizeof(id), var_old) == SUCCESS) {
|
||||
if(var_old && zend_hash_find(var_hash, id, strlen(id), var_old) == SUCCESS) {
|
||||
if(!var->is_ref) {
|
||||
/* we still need to bump up the counter, since non-refs will
|
||||
be counted separately by unserializer */
|
||||
@ -172,7 +172,7 @@ inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old) {
|
||||
}
|
||||
|
||||
var_no = zend_hash_num_elements(var_hash)+1; /* +1 because otherwise hash will think we are trying to store NULL pointer */
|
||||
zend_hash_add(var_hash, id, sizeof(id), &var_no, sizeof(var_no), NULL);
|
||||
zend_hash_add(var_hash, id, strlen(id), &var_no, sizeof(var_no), NULL);
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user