Hi Rms:
this bug is a critical one. please notice this fix. :)
thanks
On Sat, Sep 1, 2012 at 2:21 PM, Xinchen Hui <[email protected]> wrote:
> Commit: 67d7d03f00cb3185a4d5958ab7a4b063fc33405c
> Author: Xinchen Hui <[email protected]> Sat, 1 Sep 2012 14:17:39
> +0800
> Parents: 5dc2cef370885c552c20f3ff44bccd402850de9e
> Branches: PHP-5.3
>
> Link:
> http://git.php.net/?p=php-src.git;a=commitdiff;h=67d7d03f00cb3185a4d5958ab7a4b063fc33405c
>
> Log:
> Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all
> undefined variables)
>
> The get_zval_ptr_ptr of spl_array handler should act as same as the vm's
>
> Bugs:
> https://bugs.php.net/62987
>
> Changed paths:
> M NEWS
> M ext/spl/spl_array.c
> A ext/spl/tests/bug62978.phpt
>
>
> Diff:
> diff --git a/NEWS b/NEWS
> index a6e05be..ae82821 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -45,6 +45,8 @@ PHP
> NEWS
> . Fixed bug (segfault due to retval is not initialized). (Laruence)
>
> - SPL:
> + . Bug #62987 (Assigning to ArrayObject[null][something] overrides all
> + undefined variables). (Laruence)
> . Fixed bug #62904 (Crash when cloning an object which inherits
> SplFixedArray)
> (Laruence)
> . Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
> diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
> index 80ca5be..11540de 100755
> --- a/ext/spl/spl_array.c
> +++ b/ext/spl/spl_array.c
> @@ -312,38 +312,41 @@ static zval **spl_array_get_dimension_ptr_ptr(int
> check_inherited, zval *object,
> long index;
> HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
>
> -/* We cannot get the pointer pointer so we don't allow it here for now
> - if (check_inherited && intern->fptr_offset_get) {
> - return zend_call_method_with_1_params(&object,
> Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", NULL, offset);
> - }*/
> -
> if (!offset) {
> return &EG(uninitialized_zval_ptr);
> }
>
> if ((type == BP_VAR_W || type == BP_VAR_RW) && (ht->nApplyCount > 0))
> {
> zend_error(E_WARNING, "Modification of ArrayObject during
> sorting is prohibited");
> - return &EG(uninitialized_zval_ptr);;
> + return &EG(error_zval_ptr);;
> }
>
> switch(Z_TYPE_P(offset)) {
> + case IS_NULL:
> + Z_STRVAL_P(offset) = "";
> + Z_STRLEN_P(offset) = 0;
> case IS_STRING:
> if (zend_symtable_find(ht, Z_STRVAL_P(offset),
> Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
> - if (type == BP_VAR_W || type == BP_VAR_RW) {
> - zval *value;
> - ALLOC_INIT_ZVAL(value);
> - zend_symtable_update(ht, Z_STRVAL_P(offset),
> Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
> - zend_symtable_find(ht, Z_STRVAL_P(offset),
> Z_STRLEN_P(offset)+1, (void **) &retval);
> - return retval;
> - } else {
> - zend_error(E_NOTICE, "Undefined index: %s",
> Z_STRVAL_P(offset));
> - return &EG(uninitialized_zval_ptr);
> + switch (type) {
> + case BP_VAR_R:
> + zend_error(E_NOTICE, "Undefined
> index: %s", Z_STRVAL_P(offset));
> + case BP_VAR_UNSET:
> + case BP_VAR_IS:
> + retval = &EG(uninitialized_zval_ptr);
> + break;
> + case BP_VAR_RW:
> + zend_error(E_NOTICE,"Undefined index:
> %s", Z_STRVAL_P(offset));
> + case BP_VAR_W: {
> + zval *value;
> + ALLOC_INIT_ZVAL(value);
> + zend_symtable_update(ht,
> Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*),
> (void **)&retval);
> + }
> }
> - } else {
> - return retval;
> }
> - case IS_DOUBLE:
> + return retval;
> case IS_RESOURCE:
> + zend_error(E_STRICT, "Resource ID#%ld used as offset, casting
> to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset));
> + case IS_DOUBLE:
> case IS_BOOL:
> case IS_LONG:
> if (offset->type == IS_DOUBLE) {
> @@ -352,23 +355,27 @@ static zval **spl_array_get_dimension_ptr_ptr(int
> check_inherited, zval *object,
> index = Z_LVAL_P(offset);
> }
> if (zend_hash_index_find(ht, index, (void **) &retval) ==
> FAILURE) {
> - if (type == BP_VAR_W || type == BP_VAR_RW) {
> - zval *value;
> - ALLOC_INIT_ZVAL(value);
> - zend_hash_index_update(ht, index,
> (void**)&value, sizeof(void*), NULL);
> - zend_hash_index_find(ht, index, (void **)
> &retval);
> - return retval;
> - } else {
> - zend_error(E_NOTICE, "Undefined offset:
> %ld", index);
> - return &EG(uninitialized_zval_ptr);
> + switch (type) {
> + case BP_VAR_R:
> + zend_error(E_NOTICE, "Undefined
> offset: %ld", index);
> + case BP_VAR_UNSET:
> + case BP_VAR_IS:
> + retval = &EG(uninitialized_zval_ptr);
> + break;
> + case BP_VAR_RW:
> + zend_error(E_NOTICE, "Undefined
> offset: %ld", index);
> + case BP_VAR_W: {
> + zval *value;
> + ALLOC_INIT_ZVAL(value);
> + zend_hash_index_update(ht, index,
> (void**)&value, sizeof(void*), (void **)&retval);
> + }
> }
> - } else {
> - return retval;
> }
> - break;
> + return retval;
> default:
> zend_error(E_WARNING, "Illegal offset type");
> - return &EG(uninitialized_zval_ptr);
> + return (type == BP_VAR_W || type == BP_VAR_RW) ?
> + &EG(error_zval_ptr) : &EG(uninitialized_zval_ptr);
> }
> } /* }}} */
>
> @@ -664,7 +671,6 @@ SPL_METHOD(Array, offsetSet)
> spl_array_write_dimension_ex(0, getThis(), index, value TSRMLS_CC);
> } /* }}} */
>
> -
> void spl_array_iterator_append(zval *object, zval *append_value TSRMLS_DC)
> /* {{{ */
> {
> spl_array_object *intern =
> (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
> diff --git a/ext/spl/tests/bug62978.phpt b/ext/spl/tests/bug62978.phpt
> new file mode 100644
> index 0000000..94068d5
> --- /dev/null
> +++ b/ext/spl/tests/bug62978.phpt
> @@ -0,0 +1,50 @@
> +--TEST--
> +Bug #62987 (Assigning to ArrayObject[null][something] overrides all
> undefined variables)
> +--FILE--
> +<?php
> +$a = new ArrayObject();
> +
> +$b = array();
> +
> +$a[null]['hurr'] = 'durr';
> +
> +var_dump($a['epic_magic']);
> +var_dump($b['epic_magic']);
> +var_dump($c['epic_magic']); // Undefined var!!
> +
> +$d = array();
> +var_dump($a['epic_magic']); // more magic!
> +var_dump($d['epic_magic']);
> +
> +$e = 'srsly?';
> +var_dump($a['epic_magic']); // srsly.
> +var_dump(isset($a['epic_magic']));
> +
> +$fp = fopen(__FILE__, 'r');
> +var_dump($a[$fp]);
> +
> +fclose($fp);
> +--EXPECTF--
> +Notice: Undefined index: epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index: epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined variable: c in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index: epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index: epic_magic in %sbug62978.php on line %d
> +NULL
> +
> +Notice: Undefined index: epic_magic in %sbug62978.php on line %d
> +NULL
> +bool(false)
> +
> +Strict Standards: Resource ID#%d used as offset, casting to integer (%d) in
> %sbug62978.php on line %d
> +
> +Notice: Undefined offset: %d in %sbug62978.php on line %d
> +NULL
>
>
> --
> PHP CVS Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
Laruence Xinchen Hui
http://www.laruence.com/
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
