]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2b23ba9)
Fixed bug #70808 (array_merge_recursive corrupts memory of unset items)
authorXinchen Hui <laruence@gmail.com>
Thu, 29 Oct 2015 06:33:58 +0000 (14:33 +0800)
committerXinchen Hui <laruence@gmail.com>
Thu, 29 Oct 2015 06:33:58 +0000 (14:33 +0800)
I knew, this fix seems ugly

NEWS patch | blob | history
ext/standard/array.c patch | blob | history
ext/standard/tests/array/bug70808.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index 0cebbd121ca9fe6840fe40cf7410a2052228cf12..f4e6c8d6f5e1a2e9aaac90e1c6436f0a6fbe1841 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2015, PHP 7.0.1
 
+- Standard:
+  . Fixed bug #70808 (array_merge_recursive corrupts memory of unset items).
+    (laruence)
+
 - XSL:
   . Fixed bug #70678 (PHP7 returns true when false is expected). (Felipe)
 
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 4678e144880074d58d901cb7daf2264bff3ab704..88818fe78f45bdafed725d9fa1d59664fbff6ce4 100644 (file)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2967,6 +2967,10 @@ PHPAPI int php_array_merge_recursive(HashTable *dest, HashTable *src) /* {{{ */
                                if (Z_TYPE_P(dest_zval) == IS_NULL) {
                                        convert_to_array_ex(dest_zval);
                                        add_next_index_null(dest_zval);
+                               } else if (Z_TYPE_P(dest_zval) == IS_ARRAY) {
+                                       if (UNEXPECTED(Z_ARRVAL_P(dest_zval)->nNextFreeElement > Z_ARRVAL_P(dest_zval)->nNumUsed)) {
+                                               Z_ARRVAL_P(dest_zval)->nNextFreeElement = Z_ARRVAL_P(dest_zval)->nNumUsed;
+                                       }
                                } else {
                                        convert_to_array_ex(dest_zval);
                                }
diff --git a/ext/standard/tests/array/bug70808.phpt b/ext/standard/tests/array/bug70808.phpt
new file mode 100644 (file)
index 0000000..8a62538
--- /dev/null
+++ b/ext/standard/tests/array/bug70808.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #70808 (array_merge_recursive corrupts memory of unset items)
+--FILE--
+<?php
+
+$arr1 = array("key" => array(0, 1));
+$arr2 = array("key" => array(2));
+
+unset($arr1["key"][1]);
+
+$result = array_merge_recursive($arr1, $arr2);
+print_r($result);
+?>
+--EXPECT--
+Array
+(
+    [key] => Array
+        (
+            [0] => 0
+            [1] => 2
+        )
+
+)
Unnamed repository; edit this file 'description' to name the repository.