Fix uninitialized reads in min/max

We need to use the unstable comparison function here, the fallback
order is not initialized in this context.

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 9b0efaf301fe8fef5a05d7c05c3b7e635501ee4b..8f326f38d8e5ff417079e4a67fbc90ac67e8d415 100644 (file)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1297,13 +1297,12 @@ PHP_FUNCTION(min)
 
        /* mixed min ( array $values ) */
        if (argc == 1) {
-               zval *result;
-
                if (Z_TYPE(args[0]) != IS_ARRAY) {
                        zend_argument_type_error(1, "must be of type array, %s given", zend_zval_type_name(&args[0]));
                        RETURN_THROWS();
                } else {
-                       if ((result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare, 0)) != NULL) {
+                       zval *result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare_unstable, 0);
+                       if (result) {
                                ZVAL_COPY_DEREF(return_value, result);
                        } else {
                                zend_argument_value_error(1, "must contain at least one element");
@@ -1344,13 +1343,12 @@ PHP_FUNCTION(max)
 
        /* mixed max ( array $values ) */
        if (argc == 1) {
-               zval *result;
-
                if (Z_TYPE(args[0]) != IS_ARRAY) {
                        zend_argument_type_error(1, "must be of type array, %s given", zend_zval_type_name(&args[0]));
                        RETURN_THROWS();
                } else {
-                       if ((result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare, 1)) != NULL) {
+                       zval *result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare_unstable, 1);
+                       if (result) {
                                ZVAL_COPY_DEREF(return_value, result);
                        } else {
                                zend_argument_value_error(1, "must contain at least one element");