LMPX.COM |
Home | Linux | Mysql | PHP | XML | ||
|
|
|||
From: Etienne Kneuss Date: Sun Oct 5 08:19:55 2008 Subject: cvs: php-src /ext/spl spl_array.c /ext/spl/tests array_026.phpt
colder Sun Oct 5 14:19:55 2008 UTC
Added files:
/php-src/ext/spl/tests array_026.phpt
Modified files:
/php-src/ext/spl spl_array.c
Log:
Fix #46222 (Allow indirect modifications of Arrays inside ArrayObject + fix EG(uninitialized_zval_ptr) overwrite)
http://cvs.php.net/viewvc.cgi/php-src/ext/spl/spl_array.c?r1=1.150&r2=1.151&diff_format=u
Index: php-src/ext/spl/spl_array.c
diff -u php-src/ext/spl/spl_array.c:1.150 php-src/ext/spl/spl_array.c:1.151
--- php-src/ext/spl/spl_array.c:1.150 Mon Sep 29 22:42:48 2008
+++ php-src/ext/spl/spl_array.c Sun Oct 5 14:19:55 2008
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: spl_array.c,v 1.150 2008/09/29 22:42:48 colder Exp $ */
+/* $Id: spl_array.c,v 1.151 2008/10/05 14:19:55 colder Exp $ */
#ifdef HAVE_CONFIG_H
# include "config.h"
@@ -282,6 +282,7 @@
spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
zval **retval;
long index;
+ HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
/* We cannot get the pointer pointer so we don't allow it here for now
if (check_inherited && intern->fptr_offset_get) {
@@ -295,9 +296,17 @@
switch(Z_TYPE_P(offset)) {
case IS_STRING:
case IS_UNICODE:
- if (zend_u_symtable_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void **) &retval) == FAILURE) {
- zend_error(E_NOTICE, "Undefined index: %R", Z_TYPE_P(offset), Z_STRVAL_P(offset));
- return &EG(uninitialized_zval_ptr);
+ if (zend_u_symtable_find(ht, Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void **) &retval) == FAILURE) {
+ if (type == BP_VAR_W || type == BP_VAR_RW) {
+ zval *value;
+ ALLOC_INIT_ZVAL(value);
+ zend_u_symtable_update(ht, Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
+ zend_u_symtable_find(ht, Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void **) &retval);
+ return retval;
+ } else {
+ zend_error(E_NOTICE, "Undefined index: %R", Z_TYPE_P(offset), Z_STRVAL_P(offset));
+ return &EG(uninitialized_zval_ptr);
+ }
} else {
return retval;
}
@@ -310,9 +319,17 @@
} else {
index = Z_LVAL_P(offset);
}
- if (zend_hash_index_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), index, (void **) &retval) == FAILURE) {
- zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset));
- return &EG(uninitialized_zval_ptr);
+ if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) {
+ if (type == BP_VAR_W || type == BP_VAR_RW) {
+ zval *value;
+ ALLOC_INIT_ZVAL(value);
+ zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL);
+ zend_hash_index_find(ht, index, (void **) &retval);
+ return retval;
+ } else {
+ zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset));
+ return &EG(uninitialized_zval_ptr);
+ }
} else {
return retval;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/spl/tests/array_026.phpt?view=markup&rev=1.1
Index: php-src/ext/spl/tests/array_026.phpt
+++ php-src/ext/spl/tests/array_026.phpt
--TEST--
SPL: ArrayObject indirect offsetGet overwriting EG(uninitialized_zvar_ptr)
--FILE--
<?php
$test = new ArrayObject();
$test['d1']['d2'] = 'hello';
$test['d1']['d3'] = 'world';
var_dump($test, $test3['mmmmm']);
?>
--EXPECTF--
Notice: Undefined variable: test3 in %s%earray_026.php on line 5
object(ArrayObject)#%d (1) {
[u"storage":u"ArrayObject":private]=>
array(1) {
[u"d1"]=>
array(2) {
[u"d2"]=>
unicode(5) "hello"
[u"d3"]=>
unicode(5) "world"
}
}
}
NULL
| Navigate in group php.cvs at sever news.php.net | |
| Previous | Next |
| © No Copyright You are free to use Anything |
Site Maintained by Zareef Ahmed
Powered By PHP Consultants |