]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 63169ea)
Bug #47880 (crashes in call_user_func_array())
authorDmitry Stogov <dmitry@php.net>
Mon, 6 Apr 2009 11:10:32 +0000 (11:10 +0000)
committerDmitry Stogov <dmitry@php.net>
Mon, 6 Apr 2009 11:10:32 +0000 (11:10 +0000)
NEWS patch | blob | history
Zend/tests/bug47880.phpt [new file with mode: 0644] patch | blob
Zend/zend_API.c patch | blob | history

diff --git a/NEWS b/NEWS
index c0b0224761c1483732e9dbeb820e9a82c5398217..2322e0320c8ac17012f251bdae30b26f2a5fd965 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP                                                                        NEWS
 - Undeprecated ticks. (Arnaud)
 - Upgraded bundled sqlite to version 3.6.12. (Scott)
 
+- Fixed bug #47880 (crashes in call_user_func_array()). (Dmitry)
 - Fixed bug #47856 (stristr() converts needle to lower-case). (Ilia)
 - Fixed bug #47851 (is_callable throws fatal error). (Dmitry)
 - Fixed bug #47819 (Getting pdo_mysql.so: undefined symbol: mysqlnd_debug_init
diff --git a/Zend/tests/bug47880.phpt b/Zend/tests/bug47880.phpt
new file mode 100644 (file)
index 0000000..bf2022c
--- /dev/null
+++ b/Zend/tests/bug47880.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #47880 (crashes in call_user_func_array())
+--FILE--
+<?php
+class bomb {
+  static function go($n)       {
+   $backtrace = debug_backtrace(false);
+   $backtrace[1]['args'][1] = 'bomb';
+  }
+}
+call_user_func_array(array('bomb', 'go'), array(0));
+echo "ok\n";
+?>
+--EXPECT--
+ok
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index b0c460606c5d3c228f9adacf949084475b319eca..0e186691d76924c346016a1807e620d66940756f 100644 (file)
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -2856,9 +2856,6 @@ ZEND_API int zend_fcall_info_init(zval *callable, uint check_flags, zend_fcall_i
 ZEND_API void zend_fcall_info_args_clear(zend_fcall_info *fci, int free_mem) /* {{{ */
 {
        if (fci->params) {
-               while (fci->param_count) {
-                       zval_ptr_dtor(fci->params[--fci->param_count]);
-               }
                if (free_mem) {
                        efree(fci->params);
                        fci->params = NULL;
@@ -2906,7 +2903,6 @@ ZEND_API int zend_fcall_info_args(zend_fcall_info *fci, zval *args TSRMLS_DC) /*
        zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(args), &pos);
        while (zend_hash_get_current_data_ex(Z_ARRVAL_P(args), (void *) &arg, &pos) == SUCCESS) {
                *params++ = arg;
-               Z_ADDREF_P(*arg);
                zend_hash_move_forward_ex(Z_ARRVAL_P(args), &pos);
        }
 
@@ -2929,7 +2925,6 @@ ZEND_API int zend_fcall_info_argp(zend_fcall_info *fci TSRMLS_DC, int argc, zval
                fci->params = (zval ***) erealloc(fci->params, fci->param_count * sizeof(zval **));
 
                for (i = 0; i < argc; ++i) {
-                       Z_ADDREF_P(*(argv[i]));
                        fci->params[i] = argv[i];
                }
        }
@@ -2955,7 +2950,6 @@ ZEND_API int zend_fcall_info_argv(zend_fcall_info *fci TSRMLS_DC, int argc, va_l
 
                for (i = 0; i < argc; ++i) {
                        arg = va_arg(*argv, zval **);
-                       Z_ADDREF_P(*arg);
                        fci->params[i] = arg;
                }
        }
Unnamed repository; edit this file 'description' to name the repository.