tests array_026.phpt

Etienne Kneuss Sun, 05 Oct 2008 07:21:07 -0700

colder          Sun Oct  5 14:20:55 2008 UTC

  Added files:                 (Branch: PHP_5_3)
    /php-src/ext/spl/tests      array_026.phpt


  Modified files:              
    /php-src    NEWS 
    /php-src/ext/spl    spl_array.c 
  Log:
  Fix #46222 (Allow indirect modifications of Arrays inside ArrayObject + fix 
EG(uninitialized_zval_ptr) overwrite)
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.965.2.338&r2=1.2027.2.547.2.965.2.339&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.965.2.338 
php-src/NEWS:1.2027.2.547.2.965.2.339
--- php-src/NEWS:1.2027.2.547.2.965.2.338       Wed Oct  1 20:30:23 2008
+++ php-src/NEWS        Sun Oct  5 14:20:54 2008
@@ -45,6 +45,8 @@
   (vnegrier at optilian dot com, Ilia)
 - Fixed bug #46192 (ArrayObject with objects as storage serialization).
   (Etienne)
+- Fixed bug #46222 (ArrayObject EG(uninitialized_var_ptr) overwrite).
+  (Etienne)
 
 02 Sep 2008, PHP 5.3.0 Alpha 2
 - Removed special treatment of "/tmp" in sessions for open_basedir.
http://cvs.php.net/viewvc.cgi/php-src/ext/spl/spl_array.c?r1=1.71.2.17.2.13.2.26&r2=1.71.2.17.2.13.2.27&diff_format=u
Index: php-src/ext/spl/spl_array.c
diff -u php-src/ext/spl/spl_array.c:1.71.2.17.2.13.2.26 
php-src/ext/spl/spl_array.c:1.71.2.17.2.13.2.27
--- php-src/ext/spl/spl_array.c:1.71.2.17.2.13.2.26     Mon Sep 29 22:45:27 2008
+++ php-src/ext/spl/spl_array.c Sun Oct  5 14:20:55 2008
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: spl_array.c,v 1.71.2.17.2.13.2.26 2008/09/29 22:45:27 colder Exp $ */
+/* $Id: spl_array.c,v 1.71.2.17.2.13.2.27 2008/10/05 14:20:55 colder Exp $ */
 
 #ifdef HAVE_CONFIG_H
 # include "config.h"
@@ -281,6 +281,7 @@
        spl_array_object *intern = 
(spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
        zval **retval;
        long index;
+       HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
 
 /*  We cannot get the pointer pointer so we don't allow it here for now
        if (check_inherited && intern->fptr_offset_get) {
@@ -293,9 +294,17 @@
        
        switch(Z_TYPE_P(offset)) {
        case IS_STRING:
-               if (zend_symtable_find(spl_array_get_hash_table(intern, 0 
TSRMLS_CC), Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == 
FAILURE) {
-                       zend_error(E_NOTICE, "Undefined index:  %s", 
Z_STRVAL_P(offset));
-                       return &EG(uninitialized_zval_ptr);
+               if (zend_symtable_find(ht, Z_STRVAL_P(offset), 
Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
+                       if (type == BP_VAR_W || type == BP_VAR_RW) {
+                               zval *value;
+                               ALLOC_INIT_ZVAL(value);
+                               zend_symtable_update(ht, Z_STRVAL_P(offset), 
Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
+                               zend_symtable_find(ht, Z_STRVAL_P(offset), 
Z_STRLEN_P(offset)+1, (void **) &retval);
+                               return retval;
+                       } else {
+                               zend_error(E_NOTICE, "Undefined index:  %s", 
Z_STRVAL_P(offset));
+                               return &EG(uninitialized_zval_ptr);
+                       }
                } else {
                        return retval;
                }
@@ -308,9 +317,17 @@
                } else {
                        index = Z_LVAL_P(offset);
                }
-               if (zend_hash_index_find(spl_array_get_hash_table(intern, 0 
TSRMLS_CC), index, (void **) &retval) == FAILURE) {
-                       zend_error(E_NOTICE, "Undefined offset:  %ld", 
Z_LVAL_P(offset));
-                       return &EG(uninitialized_zval_ptr);
+               if (zend_hash_index_find(ht, index, (void **) &retval) == 
FAILURE) {
+                       if (type == BP_VAR_W || type == BP_VAR_RW) {
+                               zval *value;
+                               ALLOC_INIT_ZVAL(value);
+                               zend_hash_index_update(ht, index, 
(void**)&value, sizeof(void*), NULL);
+                               zend_hash_index_find(ht, index, (void **) 
&retval);
+                               return retval;
+                       } else {
+                               zend_error(E_NOTICE, "Undefined offset:  %ld", 
Z_LVAL_P(offset));
+                               return &EG(uninitialized_zval_ptr);
+                       }
                } else {
                        return retval;
                }

http://cvs.php.net/viewvc.cgi/php-src/ext/spl/tests/array_026.phpt?view=markup&rev=1.1
Index: php-src/ext/spl/tests/array_026.phpt
+++ php-src/ext/spl/tests/array_026.phpt
--TEST--
SPL: ArrayObject indirect offsetGet overwriting EG(uninitialized_zvar_ptr)
--FILE--
<?php
$test = new ArrayObject();
$test['d1']['d2'] = 'hello';
$test['d1']['d3'] = 'world';
var_dump($test, $test3['mmmmm']);
?>
--EXPECTF--
Notice: Undefined variable: test3 in %s%earray_026.php on line 5
object(ArrayObject)#%d (1) {
  [u"storage":u"ArrayObject":private]=>
  array(1) {
    [u"d1"]=>
    array(2) {
      [u"d2"]=>
      unicode(5) "hello"
      [u"d3"]=>
      unicode(5) "world"
    }
  }
}
NULL



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_5_3) / NEWS /ext/spl spl_array.c /ext/spl/tests array_026.phpt

Reply via email to