Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser

diff --git a/NEWS b/NEWS
index 33c1f0d4a02d0a20b9f2e14f3787b6e6582d1985..ac210bc950bf3c26938afe71285f14ffb3ead6b6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,8 @@ PHP                                                                        NEWS
 - Fixed a possible memory corruption because of unexpected call-time pass by
   refernce and following memory clobbering through callbacks.
   Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser
+  (Dmitry)
 - Fixed a possible memory corruption in pack(). Reported by Stefan Esser
   (Dmitry)
 - Fixed a possible memory corruption in substr_replace(). Reported by Stefan    

diff --git a/ext/standard/string.c b/ext/standard/string.c
index faad22de52c38fbd9809df9cd645b16b071d1af2..71d472c9cf2b756846533b7a176d2acec1a09474 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4146,11 +4146,14 @@ PHP_FUNCTION(parse_str)
                Z_ARRVAL(tmp) = EG(active_symbol_table);
                sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
        } else  {
+               zval ret;
+               
+               array_init(&ret);
+               sapi_module.treat_data(PARSE_STRING, res, &ret TSRMLS_CC);
                /* Clear out the array that was passed in. */
                zval_dtor(arrayArg);
-               array_init(arrayArg);
-               
-               sapi_module.treat_data(PARSE_STRING, res, arrayArg TSRMLS_CC);
+               arrayArg->type = ret.type;
+               arrayArg->value = ret.value;
        }
 }
 /* }}} */