Fixed a possible memory corruption in substr_replace()

diff --git a/NEWS b/NEWS
index 689977e133b01a67457dd8b09de5482145bec168..d754a30d684fbe212c6c2709271dd016701be883 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
 - Fixed a possible memory corruption because of unexpected call-time pass by
   refernce and following memory clobbering through callbacks.
   Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in substr_replace(). Reported by Stefan    
+  Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan    
   Esser (Dmitry)
 - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan    

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 88b80996833f28e0ec011240aec1da6307e4e310..faad22de52c38fbd9809df9cd645b16b071d1af2 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2219,12 +2219,21 @@ PHP_FUNCTION(substr_replace)
        }
        
        if (Z_TYPE_PP(str) != IS_ARRAY) {
+               if (Z_ISREF_PP(str)) {
+                       SEPARATE_ZVAL(str);
+               }
                convert_to_string_ex(str);
        }
        if (Z_TYPE_PP(repl) != IS_ARRAY) {
+               if (Z_ISREF_PP(repl)) {
+                       SEPARATE_ZVAL(repl);
+               }
                convert_to_string_ex(repl);
        }
        if (Z_TYPE_PP(from) != IS_ARRAY) {
+               if (Z_ISREF_PP(from)) {
+                       SEPARATE_ZVAL(from);
+               }
                convert_to_long_ex(from);
        }