Commit:    a80567a9290523b1db9dcb9422ecc970a978dd16
Author:    Anatol Belski <a...@php.net>         Thu, 14 Nov 2013 14:59:08 +0100
Parents:   e93c9ae26a454c67f84d022f510b8d582d73a9e8
Branches:  str_size_and_int64

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=a80567a9290523b1db9dcb9422ecc970a978dd16

Log:
fixed undefined behaviour in array_sum

The exact situation is when passing same pointer twice to
fast_add_function(). This prorably has to be fixed in mainstream too.

Changed paths:
  M  ext/standard/array.c


Diff:
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 295d98c..5df4e14 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -4072,7 +4072,8 @@ PHP_FUNCTION(array_sum)
 {
        zval *input,
                 **entry,
-                entry_n;
+                entry_n,
+                entry_m;
        HashPosition pos;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "a", &input) == 
FAILURE) {
@@ -4088,10 +4089,12 @@ PHP_FUNCTION(array_sum)
                if (Z_TYPE_PP(entry) == IS_ARRAY || Z_TYPE_PP(entry) == 
IS_OBJECT) {
                        continue;
                }
+               Z_LVAL(entry_m) = Z_LVAL_P(return_value);
+               Z_TYPE(entry_m) = Z_TYPE_P(return_value);
                entry_n = **entry;
                zval_copy_ctor(&entry_n);
                convert_scalar_to_number(&entry_n TSRMLS_CC);
-               fast_add_function(return_value, return_value, &entry_n 
TSRMLS_CC);
+               fast_add_function(return_value, &entry_m, &entry_n TSRMLS_CC);
        }
 }
 /* }}} */


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to