duplicate value's string for the SAPI filter

reported by sesser; tyrael, do you take care of the bug/NEWS?

diff --git a/main/php_variables.c b/main/php_variables.c
index 90cfcb20bc93c6dd98633c6bb99aa1a67b1382b7..b2df88be615052d19ddc2bb4c671d9eca2d51a6d 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -241,7 +241,7 @@ typedef struct post_var_data {
 
 static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSRMLS_DC)
 {
-       char *ksep, *vsep;
+       char *ksep, *vsep, *val;
        size_t klen, vlen;
        /* FIXME: string-size_t */
        unsigned int new_vlen;
@@ -272,15 +272,17 @@ static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSR
                vlen = 0;
        }
 
-
        php_url_decode(var->ptr, klen);
+
+       val = estrndup(ksep, vlen);
        if (vlen) {
-               vlen = php_url_decode(ksep, vlen);
+               vlen = php_url_decode(val, vlen);
        }
 
-       if (sapi_module.input_filter(PARSE_POST, var->ptr, &ksep, vlen, &new_vlen TSRMLS_CC)) {
-               php_register_variable_safe(var->ptr, ksep, new_vlen, arr TSRMLS_CC);
+       if (sapi_module.input_filter(PARSE_POST, var->ptr, &val, vlen, &new_vlen TSRMLS_CC)) {
+               php_register_variable_safe(var->ptr, val, new_vlen, arr TSRMLS_CC);
        }
+       efree(val);
 
        var->ptr = vsep + (vsep != var->end);
        return 1;