Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED)

diff --git a/NEWS b/NEWS
index 69be87678338a8621faefe80c683070287218915..433625785e955a83bb4da4df7336d56d14302d6d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2015, PHP 7.0.1
 
 - Core:
+  . Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED). (Laruence)
   . Fixed bug #70944 (try{ } finally{} can create infinite chains of
     exceptions). (Laruence)
   . Fixed bug #70914 (zend_throw_or_error() format string vulnerability).

diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y
index e3042b80c175e6ce75f6018478c642baabfa4289..d6f33159d891c8440e67a3204506e4506b99849c 100644 (file)
--- a/Zend/zend_ini_parser.y
+++ b/Zend/zend_ini_parser.y
@@ -109,8 +109,13 @@ static void zend_ini_add_string(zval *result, zval *op1, zval *op2)
                ZVAL_PSTRINGL(op1, str->val, str->len);
                zend_string_release(str);
        }
-
        op1_len = (int)Z_STRLEN_P(op1);
+       
+       if (Z_TYPE_P(op2) != IS_STRING) {
+               zend_string *str = zval_get_string(op2);
+               ZVAL_PSTRINGL(op2, str->val, str->len);
+               zend_string_release(str);
+       }
        length = op1_len + (int)Z_STRLEN_P(op2);
 
        ZVAL_NEW_STR(result, zend_string_extend(Z_STR_P(op1), length, 1));

diff --git a/ext/standard/tests/general_functions/bug70947.phpt b/ext/standard/tests/general_functions/bug70947.phpt
new file mode 100644 (file)
index 0000000..d07e5a3
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug70947.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #70947 (INI parser segfault with INI_SCANNER_TYPED)
+--FILE--
+<?php
+$o = parse_ini_string('foo = bar 123', FALSE, INI_SCANNER_TYPED);
+var_dump($o);
+?>
+--EXPECT--
+array(1) {
+  ["foo"]=>
+  string(7) "bar 123"
+}