MFH: fix bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too much...

diff --git a/NEWS b/NEWS
index 7dfe2412e04757e4ff1384a4911745dcbd51c571..8c0b3446a69d9f13291215ac47a56faf3d410c29 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
   . ext/filepro (Derick, Tony)
   . ext/hwapi (Derick, Tony)
 
+- Fixed bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too 
+  much memory). (Tony)
 - Fixed bug #38194 (ReflectionClass::isSubclassOf() returns TRUE for the class
   itself). (Ilia)
 - Fixed bug #38132 (ReflectionClass::getStaticProperties() retains \0 in key

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 20de73ce09c46ee7e870d1fca150d861b25f0843..d6a5f909ed443c983736b54fa5c4894214192860 100644 (file)
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3394,7 +3394,7 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
        zval *retval_ptr;
        reflection_object *intern;
        zend_class_entry *ce;
-       int argc;
+       int argc = 0;
        HashTable *args;
        
        
@@ -3404,11 +3404,13 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|h", &args) == FAILURE) {
                return;
        }
-       argc = args->nNumOfElements;
+       if (ZEND_NUM_ARGS() > 0) {
+               argc = args->nNumOfElements;
+       }
        
        /* Run the constructor if there is one */
        if (ce->constructor) {
-               zval ***params;
+               zval ***params = NULL;
                zend_fcall_info fci;
                zend_fcall_info_cache fcc;
 
@@ -3416,10 +3418,12 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
                        zend_throw_exception_ex(reflection_exception_ptr, 0 TSRMLS_CC, "Access to non-public constructor of class %s", ce->name);
                        return;
                }
-
-               params = safe_emalloc(sizeof(zval **), argc, 0);
-               zend_hash_apply_with_argument(args, (apply_func_arg_t)_zval_array_to_c_array, &params TSRMLS_CC);       
-               params -= argc;
+               
+               if (argc) {
+                       params = safe_emalloc(sizeof(zval **), argc, 0);
+                       zend_hash_apply_with_argument(args, (apply_func_arg_t)_zval_array_to_c_array, &params TSRMLS_CC);       
+                       params -= argc;
+               }
 
                object_init_ex(return_value, ce);
 
@@ -3439,7 +3443,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
                fcc.object_pp = &return_value;
 
                if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
-                       efree(params);
+                       if (params) {
+                               efree(params);
+                       }
                        zval_ptr_dtor(&retval_ptr);
                        zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
                        RETURN_NULL();
@@ -3447,7 +3453,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
                if (retval_ptr) {
                        zval_ptr_dtor(&retval_ptr);
                }
-               efree(params);
+               if (params) {
+                       efree(params);
+               }
        } else if (!ZEND_NUM_ARGS()) {
                object_init_ex(return_value, ce);
        } else {

diff --git a/ext/reflection/tests/bug38217.phpt b/ext/reflection/tests/bug38217.phpt
new file mode 100644 (file)
index 0000000..55e0c46
--- /dev/null
+++ b/ext/reflection/tests/bug38217.phpt
@@ -0,0 +1,40 @@
+--TEST--
+#38217 (ReflectionClass::newInstanceArgs() tries to allocate too much memory)
+--FILE--
+<?php
+
+class Object {
+       public function __construct() {
+       }
+}
+
+$class= new ReflectionClass('Object');
+var_dump($class->newInstanceArgs());
+
+class Object1 {
+       public function __construct($var) {
+               var_dump($var);
+       }
+}
+
+$class= new ReflectionClass('Object1');
+var_dump($class->newInstanceArgs());
+var_dump($class->newInstanceArgs(array('test')));
+
+
+echo "Done\n";
+?>
+--EXPECTF--    
+object(Object)#%d (0) {
+}
+
+Warning: Missing argument 1 for Object1::__construct() in %s on line %d
+
+Notice: Undefined variable: var in %s on line %d
+NULL
+object(Object1)#%d (0) {
+}
+string(4) "test"
+object(Object1)#%d (0) {
+}
+Done