Commit: a80567a9290523b1db9dcb9422ecc970a978dd16 Author: Anatol Belski <a...@php.net> Thu, 14 Nov 2013 14:59:08 +0100 Parents: e93c9ae26a454c67f84d022f510b8d582d73a9e8 Branches: str_size_and_int64
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=a80567a9290523b1db9dcb9422ecc970a978dd16 Log: fixed undefined behaviour in array_sum The exact situation is when passing same pointer twice to fast_add_function(). This prorably has to be fixed in mainstream too. Changed paths: M ext/standard/array.c Diff: diff --git a/ext/standard/array.c b/ext/standard/array.c index 295d98c..5df4e14 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -4072,7 +4072,8 @@ PHP_FUNCTION(array_sum) { zval *input, **entry, - entry_n; + entry_n, + entry_m; HashPosition pos; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "a", &input) == FAILURE) { @@ -4088,10 +4089,12 @@ PHP_FUNCTION(array_sum) if (Z_TYPE_PP(entry) == IS_ARRAY || Z_TYPE_PP(entry) == IS_OBJECT) { continue; } + Z_LVAL(entry_m) = Z_LVAL_P(return_value); + Z_TYPE(entry_m) = Z_TYPE_P(return_value); entry_n = **entry; zval_copy_ctor(&entry_n); convert_scalar_to_number(&entry_n TSRMLS_CC); - fast_add_function(return_value, return_value, &entry_n TSRMLS_CC); + fast_add_function(return_value, &entry_m, &entry_n TSRMLS_CC); } } /* }}} */ -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php