Fixed bug #33958 (duplicate cookies and magic_quotes=off may cause a crash)

diff --git a/NEWS b/NEWS
index 2ef0b0791e0fc89d18be983827b2bd15d16c30c4..ee1efb34083438e9f622e68d39c3758cf0a8571e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2005, PHP 5.1
 - Fixed bug #33967 (misuse of Exception constructor doesn't display errorfile).
   (Jani)
+- Fixed bug #33958 (duplicate cookies and magic_quotes=off may cause a crash).
+  (Ilia)
 - Fixed bug #33917 (number_format() output with > 1 char separators). (Jani)
 - Fixed bug #33904 (input array keys being escaped when magic quotes is off). 
   (Ilia)

diff --git a/main/php_variables.c b/main/php_variables.c
index 31f80674e1ef91cd07fd8249546e1bd918fa31b0..3d686d0bc63b93acb68e750e993f245e83fb0dab 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -198,7 +198,9 @@ plain_var:
                                 */
                                if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && 
                                        zend_symtable_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) {
-                                       efree(escaped_index);
+                                       if (PG(magic_quotes_gpc)) { 
+                                               efree(escaped_index);
+                                       }
                                        break;
                                }
                                zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);