which affected builds against libpq < 7.3. (Adam)
- SPL:
+ . Fixed bug #67539 (ArrayIterator use-after-free due to object change during
+ sorting). (research at insighti dot org, Laruence)
. Fixed bug #67538 (SPL Iterators use-after-free). (Laruence)
- Streams:
const unsigned char *p, *s;
php_unserialize_data_t var_hash;
zval *pmembers, *pflags = NULL;
+ HashTable *aht;
long flags;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
return;
}
+ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+ if (aht->nApplyCount > 0) {
+ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+ return;
+ }
+
/* storage */
s = p = (const unsigned char*)buf;
PHP_VAR_UNSERIALIZE_INIT(var_hash);
--- /dev/null
+--TEST--
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
+--FILE--
+<?php
+
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
+
+function badsort($a, $b) {
+ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
+ return TRUE;
+}
+
+$it->uksort('badsort');
+--EXPECTF--
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
projects / php / commitdiff