Hi Rms:

    this bug is a critical one.  please notice this fix. :)

thanks

On Sat, Sep 1, 2012 at 2:21 PM, Xinchen Hui <larue...@php.net> wrote:
> Commit:    67d7d03f00cb3185a4d5958ab7a4b063fc33405c
> Author:    Xinchen Hui <larue...@php.net>         Sat, 1 Sep 2012 14:17:39 
> +0800
> Parents:   5dc2cef370885c552c20f3ff44bccd402850de9e
> Branches:  PHP-5.3
>
> Link:       
> http://git.php.net/?p=php-src.git;a=commitdiff;h=67d7d03f00cb3185a4d5958ab7a4b063fc33405c
>
> Log:
> Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all 
> undefined variables)
>
> The get_zval_ptr_ptr of spl_array handler should act as same as the vm's
>
> Bugs:
> https://bugs.php.net/62987
>
> Changed paths:
>   M  NEWS
>   M  ext/spl/spl_array.c
>   A  ext/spl/tests/bug62978.phpt
>
>
> Diff:
> diff --git a/NEWS b/NEWS
> index a6e05be..ae82821 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -45,6 +45,8 @@ PHP                                                         
>                NEWS
>    . Fixed bug (segfault due to retval is not initialized). (Laruence)
>
>  - SPL:
> +  . Bug #62987 (Assigning to ArrayObject[null][something] overrides all
> +    undefined variables). (Laruence)
>    . Fixed bug #62904 (Crash when cloning an object which inherits 
> SplFixedArray)
>      (Laruence)
>    . Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
> diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
> index 80ca5be..11540de 100755
> --- a/ext/spl/spl_array.c
> +++ b/ext/spl/spl_array.c
> @@ -312,38 +312,41 @@ static zval **spl_array_get_dimension_ptr_ptr(int 
> check_inherited, zval *object,
>         long index;
>         HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
>
> -/*  We cannot get the pointer pointer so we don't allow it here for now
> -       if (check_inherited && intern->fptr_offset_get) {
> -               return zend_call_method_with_1_params(&object, 
> Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", NULL, offset);
> -       }*/
> -
>         if (!offset) {
>                 return &EG(uninitialized_zval_ptr);
>         }
>
>         if ((type == BP_VAR_W || type == BP_VAR_RW) && (ht->nApplyCount > 0)) 
> {
>                 zend_error(E_WARNING, "Modification of ArrayObject during 
> sorting is prohibited");
> -               return &EG(uninitialized_zval_ptr);;
> +               return &EG(error_zval_ptr);;
>         }
>
>         switch(Z_TYPE_P(offset)) {
> +       case IS_NULL:
> +               Z_STRVAL_P(offset) = "";
> +               Z_STRLEN_P(offset) = 0;
>         case IS_STRING:
>                 if (zend_symtable_find(ht, Z_STRVAL_P(offset), 
> Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
> -                       if (type == BP_VAR_W || type == BP_VAR_RW) {
> -                               zval *value;
> -                               ALLOC_INIT_ZVAL(value);
> -                               zend_symtable_update(ht, Z_STRVAL_P(offset), 
> Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
> -                               zend_symtable_find(ht, Z_STRVAL_P(offset), 
> Z_STRLEN_P(offset)+1, (void **) &retval);
> -                               return retval;
> -                       } else {
> -                               zend_error(E_NOTICE, "Undefined index:  %s", 
> Z_STRVAL_P(offset));
> -                               return &EG(uninitialized_zval_ptr);
> +                       switch (type) {
> +                               case BP_VAR_R:
> +                                       zend_error(E_NOTICE, "Undefined 
> index:  %s", Z_STRVAL_P(offset));
> +                               case BP_VAR_UNSET:
> +                               case BP_VAR_IS:
> +                                       retval = &EG(uninitialized_zval_ptr);
> +                                       break;
> +                               case BP_VAR_RW:
> +                                       zend_error(E_NOTICE,"Undefined index: 
>  %s", Z_STRVAL_P(offset));
> +                               case BP_VAR_W: {
> +                                   zval *value;
> +                                   ALLOC_INIT_ZVAL(value);
> +                                   zend_symtable_update(ht, 
> Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), 
> (void **)&retval);
> +                               }
>                         }
> -               } else {
> -                       return retval;
>                 }
> -       case IS_DOUBLE:
> +               return retval;
>         case IS_RESOURCE:
> +               zend_error(E_STRICT, "Resource ID#%ld used as offset, casting 
> to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset));
> +       case IS_DOUBLE:
>         case IS_BOOL:
>         case IS_LONG:
>                 if (offset->type == IS_DOUBLE) {
> @@ -352,23 +355,27 @@ static zval **spl_array_get_dimension_ptr_ptr(int 
> check_inherited, zval *object,
>                         index = Z_LVAL_P(offset);
>                 }
>                 if (zend_hash_index_find(ht, index, (void **) &retval) == 
> FAILURE) {
> -                       if (type == BP_VAR_W || type == BP_VAR_RW) {
> -                               zval *value;
> -                               ALLOC_INIT_ZVAL(value);
> -                               zend_hash_index_update(ht, index, 
> (void**)&value, sizeof(void*), NULL);
> -                               zend_hash_index_find(ht, index, (void **) 
> &retval);
> -                               return retval;
> -                       } else {
> -                               zend_error(E_NOTICE, "Undefined offset:  
> %ld", index);
> -                               return &EG(uninitialized_zval_ptr);
> +                       switch (type) {
> +                               case BP_VAR_R:
> +                                       zend_error(E_NOTICE, "Undefined 
> offset:  %ld", index);
> +                               case BP_VAR_UNSET:
> +                               case BP_VAR_IS:
> +                                       retval = &EG(uninitialized_zval_ptr);
> +                                       break;
> +                               case BP_VAR_RW:
> +                                       zend_error(E_NOTICE, "Undefined 
> offset:  %ld", index);
> +                               case BP_VAR_W: {
> +                                   zval *value;
> +                                   ALLOC_INIT_ZVAL(value);
> +                                       zend_hash_index_update(ht, index, 
> (void**)&value, sizeof(void*), (void **)&retval);
> +                          }
>                         }
> -               } else {
> -                       return retval;
>                 }
> -               break;
> +               return retval;
>         default:
>                 zend_error(E_WARNING, "Illegal offset type");
> -               return &EG(uninitialized_zval_ptr);
> +               return (type == BP_VAR_W || type == BP_VAR_RW) ?
> +                       &EG(error_zval_ptr) : &EG(uninitialized_zval_ptr);
>         }
>  } /* }}} */
>
> @@ -664,7 +671,6 @@ SPL_METHOD(Array, offsetSet)
>         spl_array_write_dimension_ex(0, getThis(), index, value TSRMLS_CC);
>  } /* }}} */
>
> -
>  void spl_array_iterator_append(zval *object, zval *append_value TSRMLS_DC) 
> /* {{{ */
>  {
>         spl_array_object *intern = 
> (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
> diff --git a/ext/spl/tests/bug62978.phpt b/ext/spl/tests/bug62978.phpt
> new file mode 100644
> index 0000000..94068d5
> --- /dev/null
> +++ b/ext/spl/tests/bug62978.phpt
> @@ -0,0 +1,50 @@
> +--TEST--
> +Bug #62987 (Assigning to ArrayObject[null][something] overrides all 
> undefined variables)
> +--FILE--
> +<?php
> +$a = new ArrayObject();
> +
> +$b = array();
> +
> +$a[null]['hurr'] = 'durr';
> +
> +var_dump($a['epic_magic']);
> +var_dump($b['epic_magic']);
> +var_dump($c['epic_magic']); // Undefined var!!
> +
> +$d = array();
> +var_dump($a['epic_magic']); // more magic!
> +var_dump($d['epic_magic']);
> +
> +$e = 'srsly?';
> +var_dump($a['epic_magic']); // srsly.
> +var_dump(isset($a['epic_magic']));
> +
> +$fp = fopen(__FILE__, 'r');
> +var_dump($a[$fp]);
> +
> +fclose($fp);
> +--EXPECTF--
> +Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index: epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined variable: c in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index: epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
> +NULL
> +bool(false)
> +
> +Strict Standards: Resource ID#%d used as offset, casting to integer (%d) in 
> %sbug62978.php on line %d
> +
> +Notice: Undefined offset:  %d in %sbug62978.php on line %d
> +NULL
>
>
> --
> PHP CVS Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>



-- 
Laruence  Xinchen Hui
http://www.laruence.com/

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to