colder Sun Oct 5 14:20:55 2008 UTC Added files: (Branch: PHP_5_3) /php-src/ext/spl/tests array_026.phpt
Modified files: /php-src NEWS /php-src/ext/spl spl_array.c Log: Fix #46222 (Allow indirect modifications of Arrays inside ArrayObject + fix EG(uninitialized_zval_ptr) overwrite) http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.965.2.338&r2=1.2027.2.547.2.965.2.339&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.965.2.338 php-src/NEWS:1.2027.2.547.2.965.2.339 --- php-src/NEWS:1.2027.2.547.2.965.2.338 Wed Oct 1 20:30:23 2008 +++ php-src/NEWS Sun Oct 5 14:20:54 2008 @@ -45,6 +45,8 @@ (vnegrier at optilian dot com, Ilia) - Fixed bug #46192 (ArrayObject with objects as storage serialization). (Etienne) +- Fixed bug #46222 (ArrayObject EG(uninitialized_var_ptr) overwrite). + (Etienne) 02 Sep 2008, PHP 5.3.0 Alpha 2 - Removed special treatment of "/tmp" in sessions for open_basedir. http://cvs.php.net/viewvc.cgi/php-src/ext/spl/spl_array.c?r1=1.71.2.17.2.13.2.26&r2=1.71.2.17.2.13.2.27&diff_format=u Index: php-src/ext/spl/spl_array.c diff -u php-src/ext/spl/spl_array.c:1.71.2.17.2.13.2.26 php-src/ext/spl/spl_array.c:1.71.2.17.2.13.2.27 --- php-src/ext/spl/spl_array.c:1.71.2.17.2.13.2.26 Mon Sep 29 22:45:27 2008 +++ php-src/ext/spl/spl_array.c Sun Oct 5 14:20:55 2008 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: spl_array.c,v 1.71.2.17.2.13.2.26 2008/09/29 22:45:27 colder Exp $ */ +/* $Id: spl_array.c,v 1.71.2.17.2.13.2.27 2008/10/05 14:20:55 colder Exp $ */ #ifdef HAVE_CONFIG_H # include "config.h" @@ -281,6 +281,7 @@ spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC); zval **retval; long index; + HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); /* We cannot get the pointer pointer so we don't allow it here for now if (check_inherited && intern->fptr_offset_get) { @@ -293,9 +294,17 @@ switch(Z_TYPE_P(offset)) { case IS_STRING: - if (zend_symtable_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) { - zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset)); - return &EG(uninitialized_zval_ptr); + if (zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) { + if (type == BP_VAR_W || type == BP_VAR_RW) { + zval *value; + ALLOC_INIT_ZVAL(value); + zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL); + zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval); + return retval; + } else { + zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset)); + return &EG(uninitialized_zval_ptr); + } } else { return retval; } @@ -308,9 +317,17 @@ } else { index = Z_LVAL_P(offset); } - if (zend_hash_index_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), index, (void **) &retval) == FAILURE) { - zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset)); - return &EG(uninitialized_zval_ptr); + if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) { + if (type == BP_VAR_W || type == BP_VAR_RW) { + zval *value; + ALLOC_INIT_ZVAL(value); + zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL); + zend_hash_index_find(ht, index, (void **) &retval); + return retval; + } else { + zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset)); + return &EG(uninitialized_zval_ptr); + } } else { return retval; } http://cvs.php.net/viewvc.cgi/php-src/ext/spl/tests/array_026.phpt?view=markup&rev=1.1 Index: php-src/ext/spl/tests/array_026.phpt +++ php-src/ext/spl/tests/array_026.phpt --TEST-- SPL: ArrayObject indirect offsetGet overwriting EG(uninitialized_zvar_ptr) --FILE-- <?php $test = new ArrayObject(); $test['d1']['d2'] = 'hello'; $test['d1']['d3'] = 'world'; var_dump($test, $test3['mmmmm']); ?> --EXPECTF-- Notice: Undefined variable: test3 in %s%earray_026.php on line 5 object(ArrayObject)#%d (1) { [u"storage":u"ArrayObject":private]=> array(1) { [u"d1"]=> array(2) { [u"d2"]=> unicode(5) "hello" [u"d3"]=> unicode(5) "world" } } } NULL -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php