Fixed a possible memory corruption because of unexpected call-time pass by refernce...

diff --git a/NEWS b/NEWS
index 052dd8f06f73e02db5b7f75ee0c91993be90e20e..689977e133b01a67457dd8b09de5482145bec168 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,9 @@ PHP                                                                        NEWS
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)
 
+- Fixed a possible memory corruption because of unexpected call-time pass by
+  refernce and following memory clobbering through callbacks.
+  Reported by Stefan Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan    
   Esser (Dmitry)
 - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan    

diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 0b9823a989ba553676bb1beda3a94f2e43382c66..49464705da0c313405cd2faeb9d54cf00145cb25 100644 (file)
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -412,6 +412,12 @@ static char *zend_parse_arg_impl(int arg_num, zval **arg, va_list *va, char **sp
                                        case IS_DOUBLE:
                                        case IS_BOOL:
                                                convert_to_string_ex(arg);
+                                               if (UNEXPECTED(Z_ISREF_PP(arg) != 0)) {
+                                                       /* it's dangerous to return pointers to string
+                                                          buffer of referenced variable, because it can
+                                                          be clobbered throug magic callbacks */
+                                                       SEPARATE_ZVAL(arg);
+                                               }
                                                *p = Z_STRVAL_PP(arg);
                                                *pl = Z_STRLEN_PP(arg);
                                                break;