]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0bb08c6)
Fixed a possible memory corruption in pack(). Reported by Stefan Esser
authorDmitry Stogov <dmitry@php.net>
Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)
committerDmitry Stogov <dmitry@php.net>
Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)
ext/standard/pack.c patch | blob | history

diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index 5888039dc4f94fa8dbd5af4a31fb2c57441946c8..e0c7be42b482830972c586abd3bb5c8e0fb5bd19 100644 (file)
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -120,6 +120,9 @@ PHP_FUNCTION(pack)
                return;
        }
 
+       if (Z_ISREF_PP(argv[0])) {
+               SEPARATE_ZVAL(argv[0]);
+       }
        convert_to_string_ex(argv[0]);
 
        format = Z_STRVAL_PP(argv[0]);
@@ -178,6 +181,9 @@ PHP_FUNCTION(pack)
                                }
 
                                if (arg < 0) {
+                                       if (Z_ISREF_PP(argv[currentarg])) {
+                                               SEPARATE_ZVAL(argv[currentarg]);
+                                       }
                                        convert_to_string_ex(argv[currentarg]);
                                        arg = Z_STRLEN_PP(argv[currentarg]);
                                }
@@ -311,6 +317,9 @@ PHP_FUNCTION(pack)
                        case 'A': 
                                memset(&output[outputpos], (code == 'a') ? '\0' : ' ', arg);
                                val = argv[currentarg++];
+                               if (Z_ISREF_PP(val)) {
+                                       SEPARATE_ZVAL(val);
+                               }
                                convert_to_string_ex(val);
                                memcpy(&output[outputpos], Z_STRVAL_PP(val),
                                           (Z_STRLEN_PP(val) < arg) ? Z_STRLEN_PP(val) : arg);
@@ -324,6 +333,9 @@ PHP_FUNCTION(pack)
                                char *v;
 
                                val = argv[currentarg++];
+                               if (Z_ISREF_PP(val)) {
+                                       SEPARATE_ZVAL(val);
+                               }
                                convert_to_string_ex(val);
                                v = Z_STRVAL_PP(val);
                                outputpos--;
Unnamed repository; edit this file 'description' to name the repository.