dmitry                                   Fri, 14 Aug 2009 06:20:21 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=287275

Log:
Fixed crash in usort() and uasort() in case user comparison function modifyes th
e array.

Changed paths:
    U   php/php-src/branches/PHP_5_3/ext/standard/array.c

Modified: php/php-src/branches/PHP_5_3/ext/standard/array.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/array.c   2009-08-14 06:18:47 UTC 
(rev 287274)
+++ php/php-src/branches/PHP_5_3/ext/standard/array.c   2009-08-14 06:20:21 UTC 
(rev 287275)
@@ -629,6 +629,7 @@
 PHP_FUNCTION(usort)
 {
        zval *array;
+       int refcount;
        PHP_ARRAY_CMP_FUNC_VARS;

        PHP_ARRAY_CMP_FUNC_BACKUP();
@@ -638,12 +639,31 @@
                return;
        }

+       /* Clear the is_ref flag, so the attemts to modify the array in user
+        * comaprison function will create a copy of array and won't affect the
+        * original array. The fact of modification is detected using refcount
+        * comparison. The result of sorting in such case is undefined and the
+        * function returns FALSE.
+        */
+       Z_UNSET_ISREF_P(array);
+       refcount = Z_REFCOUNT_P(array);
+
        if (zend_hash_sort(Z_ARRVAL_P(array), zend_qsort, 
php_array_user_compare, 1 TSRMLS_CC) == FAILURE) {
-               PHP_ARRAY_CMP_FUNC_RESTORE();
-               RETURN_FALSE;
+               RETVAL_FALSE;
+       } else {
+               if (refcount > Z_REFCOUNT_P(array)) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was 
modified by the user comparison function");
+                       RETVAL_FALSE;
+               } else {
+                       RETVAL_TRUE;
+               }
        }
+
+       if (Z_REFCOUNT_P(array) > 1) {
+               Z_SET_ISREF_P(array);
+       }
+
        PHP_ARRAY_CMP_FUNC_RESTORE();
-       RETURN_TRUE;
 }
 /* }}} */

@@ -652,6 +672,7 @@
 PHP_FUNCTION(uasort)
 {
        zval *array;
+       int refcount;
        PHP_ARRAY_CMP_FUNC_VARS;

        PHP_ARRAY_CMP_FUNC_BACKUP();
@@ -661,12 +682,31 @@
                return;
        }

+       /* Clear the is_ref flag, so the attemts to modify the array in user
+        * comaprison function will create a copy of array and won't affect the
+        * original array. The fact of modification is detected using refcount
+        * comparison. The result of sorting in such case is undefined and the
+        * function returns FALSE.
+        */
+       Z_UNSET_ISREF_P(array);
+       refcount = Z_REFCOUNT_P(array);
+
        if (zend_hash_sort(Z_ARRVAL_P(array), zend_qsort, 
php_array_user_compare, 0 TSRMLS_CC) == FAILURE) {
-               PHP_ARRAY_CMP_FUNC_RESTORE();
-               RETURN_FALSE;
+               RETVAL_FALSE;
+       } else {
+               if (refcount > Z_REFCOUNT_P(array)) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was 
modified by the user comparison function");
+                       RETVAL_FALSE;
+               } else {
+                       RETVAL_TRUE;
+               }
        }
+
+       if (Z_REFCOUNT_P(array) > 1) {
+               Z_SET_ISREF_P(array);
+       }
+
        PHP_ARRAY_CMP_FUNC_RESTORE();
-       RETURN_TRUE;
 }
 /* }}} */


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to