]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cb29c01)
Fix bug #73181
authorNikita Popov <nikic@php.net>
Tue, 27 Sep 2016 17:47:48 +0000 (19:47 +0200)
committerNikita Popov <nikic@php.net>
Tue, 27 Sep 2016 17:47:48 +0000 (19:47 +0200)
NEWS patch | blob | history
Zend/tests/bug73181.phpt [new file with mode: 0644] patch | blob
Zend/zend_hash.c patch | blob | history

diff --git a/NEWS b/NEWS
index e45d2b52eb016c641729242cea9749f55f08c0f3..0848c2e96479787651cb3f9badedd245b1637158 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016 PHP 7.0.13
 
-
+- Core:
+  . Fixed bug #73181 (parse_str() without a second argument leads to crash).
+    (Nikita)
 
 13 Oct 2016 PHP 7.0.12
 
diff --git a/Zend/tests/bug73181.phpt b/Zend/tests/bug73181.phpt
new file mode 100644 (file)
index 0000000..2994e99
--- /dev/null
+++ b/Zend/tests/bug73181.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #73181: parse_str() without a second argument leads to crash
+--FILE--
+<?php
+
+function x() {
+    parse_str("1&x");
+    var_dump(get_defined_vars());
+}
+
+x();
+
+?>
+--EXPECT--
+array(2) {
+  [1]=>
+  string(0) ""
+  ["x"]=>
+  string(0) ""
+}
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index efbc1e2ae4ff3f290cfff3693aa340d65bf4968c..aecdac63798940d031088ef1b20606d4becf342d 100644 (file)
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1447,13 +1447,17 @@ ZEND_API void ZEND_FASTCALL zend_symtable_clean(HashTable *ht)
                } else if (ht->nNumUsed == ht->nNumOfElements) {
                        do {
                                i_zval_ptr_dtor(&p->val ZEND_FILE_LINE_CC);
-                               zend_string_release(p->key);
+                               if (EXPECTED(p->key)) {
+                                       zend_string_release(p->key);
+                               }
                        } while (++p != end);
                } else {
                        do {
                                if (EXPECTED(Z_TYPE(p->val) != IS_UNDEF)) {
                                        i_zval_ptr_dtor(&p->val ZEND_FILE_LINE_CC);
-                                       zend_string_release(p->key);
+                                       if (EXPECTED(p->key)) {
+                                               zend_string_release(p->key);
+                                       }
                                }
                        } while (++p != end);
                }
Unnamed repository; edit this file 'description' to name the repository.