felipe Sun, 01 Nov 2009 17:30:55 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=290128
Log: - Fixed bug #50006 (Segfault caused by uksort()) [5_2 only] Bug: http://bugs.php.net/50006 (Verified) Segfault caused by uksort() (PHP_5_2 only!) Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/standard/array.c A php/php-src/branches/PHP_5_2/ext/standard/tests/array/bug50006.phpt A php/php-src/branches/PHP_5_3/ext/standard/tests/array/bug50006.phpt A php/php-src/trunk/ext/standard/tests/array/bug50006.phpt Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2009-11-01 15:12:34 UTC (rev 290127) +++ php/php-src/branches/PHP_5_2/NEWS 2009-11-01 17:30:55 UTC (rev 290128) @@ -19,6 +19,7 @@ (Felipe) - Fixed memory leak in openssl_pkcs12_export_to_file(). (Felipe) +- Fixed bug #50006 (Segfault caused by uksort()). (Felipe) - Fixed bug #49990 (SNMP3 warning message about security level printed twice). (Jani) - Fixed bug #49985 (pdo_pgsql prepare() re-use previous aborted Modified: php/php-src/branches/PHP_5_2/ext/standard/array.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/standard/array.c 2009-11-01 15:12:34 UTC (rev 290127) +++ php/php-src/branches/PHP_5_2/ext/standard/array.c 2009-11-01 17:30:55 UTC (rev 290128) @@ -762,17 +762,17 @@ static int array_user_key_compare(const void *a, const void *b TSRMLS_DC) /* {{{ */ { + zend_fcall_info fci; Bucket *f; Bucket *s; zval *key1, *key2; - zval *args[2]; - zval retval; - int status; + zval **args[2]; + zval *retval_ptr = NULL; ALLOC_INIT_ZVAL(key1); ALLOC_INIT_ZVAL(key2); - args[0] = key1; - args[1] = key2; + args[0] = &key1; + args[1] = &key2; f = *((Bucket **) a); s = *((Bucket **) b); @@ -793,16 +793,30 @@ Z_LVAL_P(key2) = s->h; Z_TYPE_P(key2) = IS_LONG; } + + fci.size = sizeof(fci); + fci.function_table = EG(function_table); + fci.function_name = *BG(user_compare_func_name); + fci.symbol_table = NULL; + fci.object_pp = NULL; + fci.retval_ptr_ptr = &retval_ptr; + fci.param_count = 2; + fci.params = args; + fci.no_separation = 0; - status = call_user_function(EG(function_table), NULL, *BG(user_compare_func_name), &retval, 2, args TSRMLS_CC); - - zval_ptr_dtor(&key1); - zval_ptr_dtor(&key2); - - if (status == SUCCESS) { - convert_to_long(&retval); - return Z_LVAL(retval); + if (zend_call_function(&fci, &BG(user_compare_fci_cache) TSRMLS_CC)== SUCCESS + && retval_ptr) { + long retval; + + convert_to_long_ex(&retval_ptr); + retval = Z_LVAL_P(retval_ptr); + zval_ptr_dtor(&retval_ptr); + zval_ptr_dtor(&key1); + zval_ptr_dtor(&key2); + return retval; } else { + zval_ptr_dtor(&key1); + zval_ptr_dtor(&key2); return 0; } } Added: php/php-src/branches/PHP_5_2/ext/standard/tests/array/bug50006.phpt =================================================================== --- php/php-src/branches/PHP_5_2/ext/standard/tests/array/bug50006.phpt (rev 0) +++ php/php-src/branches/PHP_5_2/ext/standard/tests/array/bug50006.phpt 2009-11-01 17:30:55 UTC (rev 290128) @@ -0,0 +1,29 @@ +--TEST-- +Bug #50006 (Segfault caused by uksort()) +--FILE-- +<?php + +$data = array( + 'bar-bazbazbaz.' => 0, + 'bar-bazbazbaz-' => 0, + 'foo' => 0, +); +uksort($data, 'magic_sort_cmp'); +print_r($data); + +function magic_sort_cmp($a, $b) { + $a = substr($a, 1); + $b = substr($b, 1); + if (!$a) return $b ? -1 : 0; + if (!$b) return 1; + return magic_sort_cmp($a, $b); +} + +?> +--EXPECTF-- +Array +( + [foo] => 0 + [bar-bazbazbaz-] => 0 + [bar-bazbazbaz.] => 0 +) Property changes on: php/php-src/branches/PHP_5_2/ext/standard/tests/array/bug50006.phpt ___________________________________________________________________ Added: svn:keywords + Id Rev Revision Added: svn:eol-style + native Added: php/php-src/branches/PHP_5_3/ext/standard/tests/array/bug50006.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/standard/tests/array/bug50006.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/standard/tests/array/bug50006.phpt 2009-11-01 17:30:55 UTC (rev 290128) @@ -0,0 +1,29 @@ +--TEST-- +Bug #50006 (Segfault caused by uksort()) +--FILE-- +<?php + +$data = array( + 'bar-bazbazbaz.' => 0, + 'bar-bazbazbaz-' => 0, + 'foo' => 0, +); +uksort($data, 'magic_sort_cmp'); +print_r($data); + +function magic_sort_cmp($a, $b) { + $a = substr($a, 1); + $b = substr($b, 1); + if (!$a) return $b ? -1 : 0; + if (!$b) return 1; + return magic_sort_cmp($a, $b); +} + +?> +--EXPECTF-- +Array +( + [foo] => 0 + [bar-bazbazbaz-] => 0 + [bar-bazbazbaz.] => 0 +) Property changes on: php/php-src/branches/PHP_5_3/ext/standard/tests/array/bug50006.phpt ___________________________________________________________________ Added: svn:keywords + Id Rev Revision Added: svn:eol-style + native Added: php/php-src/trunk/ext/standard/tests/array/bug50006.phpt =================================================================== --- php/php-src/trunk/ext/standard/tests/array/bug50006.phpt (rev 0) +++ php/php-src/trunk/ext/standard/tests/array/bug50006.phpt 2009-11-01 17:30:55 UTC (rev 290128) @@ -0,0 +1,29 @@ +--TEST-- +Bug #50006 (Segfault caused by uksort()) +--FILE-- +<?php + +$data = array( + 'bar-bazbazbaz.' => 0, + 'bar-bazbazbaz-' => 0, + 'foo' => 0, +); +uksort($data, 'magic_sort_cmp'); +print_r($data); + +function magic_sort_cmp($a, $b) { + $a = substr($a, 1); + $b = substr($b, 1); + if (!$a) return $b ? -1 : 0; + if (!$b) return 1; + return magic_sort_cmp($a, $b); +} + +?> +--EXPECTF-- +Array +( + [foo] => 0 + [bar-bazbazbaz-] => 0 + [bar-bazbazbaz.] => 0 +) Property changes on: php/php-src/trunk/ext/standard/tests/array/bug50006.phpt ___________________________________________________________________ Added: svn:keywords + Id Rev Revision Added: svn:eol-style + native
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php