Bug #47880 (crashes in call_user_func_array())

author Dmitry Stogov <dmitry@php.net>

Mon, 6 Apr 2009 11:10:50 +0000 (11:10 +0000)

committer Dmitry Stogov <dmitry@php.net>

Mon, 6 Apr 2009 11:10:50 +0000 (11:10 +0000)
author Dmitry Stogov <dmitry@php.net>
Mon, 6 Apr 2009 11:10:50 +0000 (11:10 +0000)
committer Dmitry Stogov <dmitry@php.net>
Mon, 6 Apr 2009 11:10:50 +0000 (11:10 +0000)
diff --git a/Zend/tests/bug47880.phpt b/Zend/tests/bug47880.phpt

new file mode 100644 (file)

index 0000000..bf2022c
--- /dev/null
+++ b/Zend/tests/bug47880.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #47880 (crashes in call_user_func_array())
+--FILE--
+<?php
+class bomb {
+  static function go($n)       {
+   $backtrace = debug_backtrace(false);
+   $backtrace[1]['args'][1] = 'bomb';
+  }
+}
+call_user_func_array(array('bomb', 'go'), array(0));
+echo "ok\n";
+?>
+--EXPECT--
+ok
diff --git a/Zend/zend_API.c b/Zend/zend_API.c

index 7616934f4f6dad51c708dae4dcfddd168b7c4720..4ef402d9a28fa5192242c2c4e797a2032a69c271 100644 (file)
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -3270,9 +3270,6 @@ ZEND_API int zend_fcall_info_init(zval *callable, uint check_flags, zend_fcall_i
  ZEND_API void zend_fcall_info_args_clear(zend_fcall_info *fci, int free_mem) /* {{{ */
  {
         if (fci->params) {
-               while (fci->param_count) {
-                       zval_ptr_dtor(fci->params[--fci->param_count]);
-               }
                 if (free_mem) {
                         efree(fci->params);
                         fci->params = NULL;
@@ -3320,7 +3317,6 @@ ZEND_API int zend_fcall_info_args(zend_fcall_info *fci, zval *args TSRMLS_DC) /*
         zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(args), &pos);
         while (zend_hash_get_current_data_ex(Z_ARRVAL_P(args), (void *) &arg, &pos) == SUCCESS) {
                 *params++ = arg;
-               Z_ADDREF_P(*arg);
                 zend_hash_move_forward_ex(Z_ARRVAL_P(args), &pos);
         }
  
@@ -3343,7 +3339,6 @@ ZEND_API int zend_fcall_info_argp(zend_fcall_info *fci TSRMLS_DC, int argc, zval
                 fci->params = (zval ***) erealloc(fci->params, fci->param_count * sizeof(zval **));
  
                 for (i = 0; i < argc; ++i) {
-                       Z_ADDREF_P(*(argv[i]));
                         fci->params[i] = argv[i];
                 }
         }
@@ -3369,7 +3364,6 @@ ZEND_API int zend_fcall_info_argv(zend_fcall_info *fci TSRMLS_DC, int argc, va_l
  
                 for (i = 0; i < argc; ++i) {
                         arg = va_arg(*argv, zval **);
-                       Z_ADDREF_P(*arg);
                         fci->params[i] = arg;
                 }
         }
author	Dmitry Stogov <dmitry@php.net>
	Mon, 6 Apr 2009 11:10:50 +0000 (11:10 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Mon, 6 Apr 2009 11:10:50 +0000 (11:10 +0000)
Zend/tests/bug47880.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_API.c		patch \| blob \| history