Commit: 67d7d03f00cb3185a4d5958ab7a4b063fc33405c Author: Xinchen Hui <larue...@php.net> Sat, 1 Sep 2012 14:17:39 +0800 Parents: 5dc2cef370885c552c20f3ff44bccd402850de9e Branches: PHP-5.3
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=67d7d03f00cb3185a4d5958ab7a4b063fc33405c Log: Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables) The get_zval_ptr_ptr of spl_array handler should act as same as the vm's Bugs: https://bugs.php.net/62987 Changed paths: M NEWS M ext/spl/spl_array.c A ext/spl/tests/bug62978.phpt Diff: diff --git a/NEWS b/NEWS index a6e05be..ae82821 100644 --- a/NEWS +++ b/NEWS @@ -45,6 +45,8 @@ PHP NEWS . Fixed bug (segfault due to retval is not initialized). (Laruence) - SPL: + . Bug #62987 (Assigning to ArrayObject[null][something] overrides all + undefined variables). (Laruence) . Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray) (Laruence) . Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 80ca5be..11540de 100755 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -312,38 +312,41 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, long index; HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); -/* We cannot get the pointer pointer so we don't allow it here for now - if (check_inherited && intern->fptr_offset_get) { - return zend_call_method_with_1_params(&object, Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", NULL, offset); - }*/ - if (!offset) { return &EG(uninitialized_zval_ptr); } if ((type == BP_VAR_W || type == BP_VAR_RW) && (ht->nApplyCount > 0)) { zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); - return &EG(uninitialized_zval_ptr);; + return &EG(error_zval_ptr);; } switch(Z_TYPE_P(offset)) { + case IS_NULL: + Z_STRVAL_P(offset) = ""; + Z_STRLEN_P(offset) = 0; case IS_STRING: if (zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) { - if (type == BP_VAR_W || type == BP_VAR_RW) { - zval *value; - ALLOC_INIT_ZVAL(value); - zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL); - zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval); - return retval; - } else { - zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset)); - return &EG(uninitialized_zval_ptr); + switch (type) { + case BP_VAR_R: + zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset)); + case BP_VAR_UNSET: + case BP_VAR_IS: + retval = &EG(uninitialized_zval_ptr); + break; + case BP_VAR_RW: + zend_error(E_NOTICE,"Undefined index: %s", Z_STRVAL_P(offset)); + case BP_VAR_W: { + zval *value; + ALLOC_INIT_ZVAL(value); + zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), (void **)&retval); + } } - } else { - return retval; } - case IS_DOUBLE: + return retval; case IS_RESOURCE: + zend_error(E_STRICT, "Resource ID#%ld used as offset, casting to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset)); + case IS_DOUBLE: case IS_BOOL: case IS_LONG: if (offset->type == IS_DOUBLE) { @@ -352,23 +355,27 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, index = Z_LVAL_P(offset); } if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) { - if (type == BP_VAR_W || type == BP_VAR_RW) { - zval *value; - ALLOC_INIT_ZVAL(value); - zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL); - zend_hash_index_find(ht, index, (void **) &retval); - return retval; - } else { - zend_error(E_NOTICE, "Undefined offset: %ld", index); - return &EG(uninitialized_zval_ptr); + switch (type) { + case BP_VAR_R: + zend_error(E_NOTICE, "Undefined offset: %ld", index); + case BP_VAR_UNSET: + case BP_VAR_IS: + retval = &EG(uninitialized_zval_ptr); + break; + case BP_VAR_RW: + zend_error(E_NOTICE, "Undefined offset: %ld", index); + case BP_VAR_W: { + zval *value; + ALLOC_INIT_ZVAL(value); + zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), (void **)&retval); + } } - } else { - return retval; } - break; + return retval; default: zend_error(E_WARNING, "Illegal offset type"); - return &EG(uninitialized_zval_ptr); + return (type == BP_VAR_W || type == BP_VAR_RW) ? + &EG(error_zval_ptr) : &EG(uninitialized_zval_ptr); } } /* }}} */ @@ -664,7 +671,6 @@ SPL_METHOD(Array, offsetSet) spl_array_write_dimension_ex(0, getThis(), index, value TSRMLS_CC); } /* }}} */ - void spl_array_iterator_append(zval *object, zval *append_value TSRMLS_DC) /* {{{ */ { spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC); diff --git a/ext/spl/tests/bug62978.phpt b/ext/spl/tests/bug62978.phpt new file mode 100644 index 0000000..94068d5 --- /dev/null +++ b/ext/spl/tests/bug62978.phpt @@ -0,0 +1,50 @@ +--TEST-- +Bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables) +--FILE-- +<?php +$a = new ArrayObject(); + +$b = array(); + +$a[null]['hurr'] = 'durr'; + +var_dump($a['epic_magic']); +var_dump($b['epic_magic']); +var_dump($c['epic_magic']); // Undefined var!! + +$d = array(); +var_dump($a['epic_magic']); // more magic! +var_dump($d['epic_magic']); + +$e = 'srsly?'; +var_dump($a['epic_magic']); // srsly. +var_dump(isset($a['epic_magic'])); + +$fp = fopen(__FILE__, 'r'); +var_dump($a[$fp]); + +fclose($fp); +--EXPECTF-- +Notice: Undefined index: epic_magic in %sbug62978.php on line %d +NULL + +Notice: Undefined index: epic_magic in %sbug62978.php on line %d +NULL + +Notice: Undefined variable: c in %sbug62978.php on line %d +NULL + +Notice: Undefined index: epic_magic in %sbug62978.php on line %d +NULL + +Notice: Undefined index: epic_magic in %sbug62978.php on line %d +NULL + +Notice: Undefined index: epic_magic in %sbug62978.php on line %d +NULL +bool(false) + +Strict Standards: Resource ID#%d used as offset, casting to integer (%d) in %sbug62978.php on line %d + +Notice: Undefined offset: %d in %sbug62978.php on line %d +NULL -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
