Commit:    67d7d03f00cb3185a4d5958ab7a4b063fc33405c
Author:    Xinchen Hui <larue...@php.net>         Sat, 1 Sep 2012 14:17:39 +0800
Parents:   5dc2cef370885c552c20f3ff44bccd402850de9e
Branches:  PHP-5.3

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=67d7d03f00cb3185a4d5958ab7a4b063fc33405c

Log:
Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all 
undefined variables)

The get_zval_ptr_ptr of spl_array handler should act as same as the vm's

Bugs:
https://bugs.php.net/62987

Changed paths:
  M  NEWS
  M  ext/spl/spl_array.c
  A  ext/spl/tests/bug62978.phpt


Diff:
diff --git a/NEWS b/NEWS
index a6e05be..ae82821 100644
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,8 @@ PHP                                                           
             NEWS
   . Fixed bug (segfault due to retval is not initialized). (Laruence)
 
 - SPL:
+  . Bug #62987 (Assigning to ArrayObject[null][something] overrides all 
+    undefined variables). (Laruence)
   . Fixed bug #62904 (Crash when cloning an object which inherits 
SplFixedArray)
     (Laruence)
   . Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 80ca5be..11540de 100755
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -312,38 +312,41 @@ static zval **spl_array_get_dimension_ptr_ptr(int 
check_inherited, zval *object,
        long index;
        HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
 
-/*  We cannot get the pointer pointer so we don't allow it here for now
-       if (check_inherited && intern->fptr_offset_get) {
-               return zend_call_method_with_1_params(&object, 
Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", NULL, offset);
-       }*/
-
        if (!offset) {
                return &EG(uninitialized_zval_ptr);
        }
        
        if ((type == BP_VAR_W || type == BP_VAR_RW) && (ht->nApplyCount > 0)) {
                zend_error(E_WARNING, "Modification of ArrayObject during 
sorting is prohibited");
-               return &EG(uninitialized_zval_ptr);;
+               return &EG(error_zval_ptr);;
        }
 
        switch(Z_TYPE_P(offset)) {
+       case IS_NULL:
+               Z_STRVAL_P(offset) = "";
+               Z_STRLEN_P(offset) = 0;
        case IS_STRING:
                if (zend_symtable_find(ht, Z_STRVAL_P(offset), 
Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
-                       if (type == BP_VAR_W || type == BP_VAR_RW) {
-                               zval *value;
-                               ALLOC_INIT_ZVAL(value);
-                               zend_symtable_update(ht, Z_STRVAL_P(offset), 
Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
-                               zend_symtable_find(ht, Z_STRVAL_P(offset), 
Z_STRLEN_P(offset)+1, (void **) &retval);
-                               return retval;
-                       } else {
-                               zend_error(E_NOTICE, "Undefined index:  %s", 
Z_STRVAL_P(offset));
-                               return &EG(uninitialized_zval_ptr);
+                       switch (type) {
+                               case BP_VAR_R:
+                                       zend_error(E_NOTICE, "Undefined index:  
%s", Z_STRVAL_P(offset));
+                               case BP_VAR_UNSET:
+                               case BP_VAR_IS:
+                                       retval = &EG(uninitialized_zval_ptr);
+                                       break;
+                               case BP_VAR_RW:
+                                       zend_error(E_NOTICE,"Undefined index:  
%s", Z_STRVAL_P(offset));
+                               case BP_VAR_W: {
+                                   zval *value;
+                                   ALLOC_INIT_ZVAL(value);
+                                   zend_symtable_update(ht, 
Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), (void 
**)&retval);
+                               }
                        }
-               } else {
-                       return retval;
                }
-       case IS_DOUBLE:
+               return retval;
        case IS_RESOURCE:
+               zend_error(E_STRICT, "Resource ID#%ld used as offset, casting 
to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset));
+       case IS_DOUBLE:
        case IS_BOOL: 
        case IS_LONG: 
                if (offset->type == IS_DOUBLE) {
@@ -352,23 +355,27 @@ static zval **spl_array_get_dimension_ptr_ptr(int 
check_inherited, zval *object,
                        index = Z_LVAL_P(offset);
                }
                if (zend_hash_index_find(ht, index, (void **) &retval) == 
FAILURE) {
-                       if (type == BP_VAR_W || type == BP_VAR_RW) {
-                               zval *value;
-                               ALLOC_INIT_ZVAL(value);
-                               zend_hash_index_update(ht, index, 
(void**)&value, sizeof(void*), NULL);
-                               zend_hash_index_find(ht, index, (void **) 
&retval);
-                               return retval;
-                       } else {
-                               zend_error(E_NOTICE, "Undefined offset:  %ld", 
index);
-                               return &EG(uninitialized_zval_ptr);
+                       switch (type) {
+                               case BP_VAR_R:
+                                       zend_error(E_NOTICE, "Undefined offset: 
 %ld", index);
+                               case BP_VAR_UNSET:
+                               case BP_VAR_IS:
+                                       retval = &EG(uninitialized_zval_ptr);
+                                       break;
+                               case BP_VAR_RW:
+                                       zend_error(E_NOTICE, "Undefined offset: 
 %ld", index);
+                               case BP_VAR_W: {
+                                   zval *value;
+                                   ALLOC_INIT_ZVAL(value);
+                                       zend_hash_index_update(ht, index, 
(void**)&value, sizeof(void*), (void **)&retval);
+                          }
                        }
-               } else {
-                       return retval;
                }
-               break;
+               return retval;
        default:
                zend_error(E_WARNING, "Illegal offset type");
-               return &EG(uninitialized_zval_ptr);
+               return (type == BP_VAR_W || type == BP_VAR_RW) ?
+                       &EG(error_zval_ptr) : &EG(uninitialized_zval_ptr);
        }
 } /* }}} */
 
@@ -664,7 +671,6 @@ SPL_METHOD(Array, offsetSet)
        spl_array_write_dimension_ex(0, getThis(), index, value TSRMLS_CC);
 } /* }}} */
 
-
 void spl_array_iterator_append(zval *object, zval *append_value TSRMLS_DC) /* 
{{{ */
 {
        spl_array_object *intern = 
(spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
diff --git a/ext/spl/tests/bug62978.phpt b/ext/spl/tests/bug62978.phpt
new file mode 100644
index 0000000..94068d5
--- /dev/null
+++ b/ext/spl/tests/bug62978.phpt
@@ -0,0 +1,50 @@
+--TEST--
+Bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined 
variables)
+--FILE--
+<?php
+$a = new ArrayObject();
+
+$b = array();
+
+$a[null]['hurr'] = 'durr';
+
+var_dump($a['epic_magic']);
+var_dump($b['epic_magic']);
+var_dump($c['epic_magic']); // Undefined var!!
+
+$d = array();
+var_dump($a['epic_magic']); // more magic!
+var_dump($d['epic_magic']);
+
+$e = 'srsly?';
+var_dump($a['epic_magic']); // srsly.
+var_dump(isset($a['epic_magic']));
+
+$fp = fopen(__FILE__, 'r');
+var_dump($a[$fp]);
+
+fclose($fp);
+--EXPECTF--
+Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index: epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined variable: c in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index: epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
+NULL
+bool(false)
+
+Strict Standards: Resource ID#%d used as offset, casting to integer (%d) in 
%sbug62978.php on line %d
+
+Notice: Undefined offset:  %d in %sbug62978.php on line %d
+NULL


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to