Fixed bug #69893

author Nikita Popov <nikic@php.net>

Sat, 20 Jun 2015 15:14:48 +0000 (17:14 +0200)

committer Nikita Popov <nikic@php.net>

Sat, 20 Jun 2015 15:14:48 +0000 (17:14 +0200)
author Nikita Popov <nikic@php.net>
Sat, 20 Jun 2015 15:14:48 +0000 (17:14 +0200)
committer Nikita Popov <nikic@php.net>
Sat, 20 Jun 2015 15:14:48 +0000 (17:14 +0200)
diff --git a/NEWS b/NEWS

index 3558a6a7cc88e88905113b8be76e218ec35eff06..1ffee63ecf895c6590a134f77cf01874074cd49c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
      (Nikita)
    . Fixed bug #69892 (Different arrays compare indentical due to integer key
      truncation). (Nikita)
+  . Fixed bug #69893 (Strict comparison between integer and empty string keys
+    crashes). (Nikita)
  
  - DOM:
    . Fixed bug #69846 (Segmenation fault (access violation) when iterating over
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c

index 239fb0bb6bbb6fb77a95b31cb6f00d2db1b7f135..cea57f6901a10a6eadb8116e09060fcc9e8af246 100644 (file)
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -2248,20 +2248,24 @@ ZEND_API int zend_hash_compare(HashTable *ht1, HashTable *ht2, compare_func_t co
                                         HASH_UNPROTECT_RECURSION(ht2);
                                         return p1->h > p2->h ? 1 : -1;
                                 }
-                       } else { /* string indices */
-                               size_t len0 = (p1->key ? p1->key->len : 0);
-                               size_t len1 = (p2->key ? p2->key->len : 0);
-                               if (len0 != len1) {
+                       } else if (p1->key != NULL && p2->key != NULL) { /* string indices */
+                               if (p1->key->len != p2->key->len) {
                                         HASH_UNPROTECT_RECURSION(ht1);
                                         HASH_UNPROTECT_RECURSION(ht2);
-                                       return len0 > len1 ? 1 : -1;
+                                       return p1->key->len > p2->key->len ? 1 : -1;
                                 }
+
                                 result = memcmp(p1->key->val, p2->key->val, p1->key->len);
                                 if (result != 0) {
                                         HASH_UNPROTECT_RECURSION(ht1);
                                         HASH_UNPROTECT_RECURSION(ht2);
                                         return result;
                                 }
+                       } else {
+                               /* Mixed key types: A string key is considered as larger */
+                               HASH_UNPROTECT_RECURSION(ht1);
+                               HASH_UNPROTECT_RECURSION(ht2);
+                               return p1->key != NULL ? 1 : -1;
                         }
                         pData2 = &p2->val;
                 } else {
author	Nikita Popov <nikic@php.net>
	Sat, 20 Jun 2015 15:14:48 +0000 (17:14 +0200)
committer	Nikita Popov <nikic@php.net>
	Sat, 20 Jun 2015 15:14:48 +0000 (17:14 +0200)
NEWS		patch \| blob \| history
Zend/zend_hash.c		patch \| blob \| history