[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/standard/string.c trunk/ext/standard/string.c

Wed, 12 May 2010 04:32:43 -0700 

dmitry                                   Wed, 12 May 2010 11:32:25 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=299281

Log:
Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/standard/string.c
    U   php/php-src/trunk/ext/standard/string.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-05-12 11:10:06 UTC (rev 299280)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-05-12 11:32:25 UTC (rev 299281)
@@ -28,6 +28,8 @@
 - Fixed a possible memory corruption because of unexpected call-time pass by
   refernce and following memory clobbering through callbacks.
   Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser
+  (Dmitry)
 - Fixed a possible memory corruption in pack(). Reported by Stefan Esser
   (Dmitry)
 - Fixed a possible memory corruption in substr_replace(). Reported by Stefan

Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/string.c  2010-05-12 11:10:06 UTC 
(rev 299280)
+++ php/php-src/branches/PHP_5_3/ext/standard/string.c  2010-05-12 11:32:25 UTC 
(rev 299281)
@@ -4146,11 +4146,14 @@
                Z_ARRVAL(tmp) = EG(active_symbol_table);
                sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
        } else  {
+               zval ret;
+
+               array_init(&ret);
+               sapi_module.treat_data(PARSE_STRING, res, &ret TSRMLS_CC);
                /* Clear out the array that was passed in. */
                zval_dtor(arrayArg);
-               array_init(arrayArg);
-
-               sapi_module.treat_data(PARSE_STRING, res, arrayArg TSRMLS_CC);
+               arrayArg->type = ret.type;
+               arrayArg->value = ret.value;
        }
 }
 /* }}} */

Modified: php/php-src/trunk/ext/standard/string.c
===================================================================
--- php/php-src/trunk/ext/standard/string.c     2010-05-12 11:10:06 UTC (rev 
299280)
+++ php/php-src/trunk/ext/standard/string.c     2010-05-12 11:32:25 UTC (rev 
299281)
@@ -4146,11 +4146,13 @@
                Z_ARRVAL(tmp) = EG(active_symbol_table);
                sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
        } else  {
+               zval ret;
+
+               array_init(&ret);
+               sapi_module.treat_data(PARSE_STRING, res, &ret TSRMLS_CC);
                /* Clear out the array that was passed in. */
                zval_dtor(arrayArg);
-               array_init(arrayArg);
-
-               sapi_module.treat_data(PARSE_STRING, res, arrayArg TSRMLS_CC);
+               ZVAL_COPY_VALUE(arrayArg, &ret);
        }
 }
 /* }}} */


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to