Properly validate ArrayObject::asort() argument

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 75668e2f0fc9ab9723c61c76d6f8f92df4ef6943..3942366fa0fdb66a4105df16f5fd80b4112993d9 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -55,8 +55,8 @@ PHPAPI zend_class_entry  *spl_ce_RecursiveArrayIterator;
 #define SPL_ARRAY_CLONE_MASK         0x0100FFFF
 
 #define SPL_ARRAY_METHOD_NO_ARG                                0
-#define SPL_ARRAY_METHOD_USE_ARG               1
-#define SPL_ARRAY_METHOD_MAY_USER_ARG          2
+#define SPL_ARRAY_METHOD_CALLBACK_ARG                  1
+#define SPL_ARRAY_METHOD_SORT_FLAGS_ARG        2
 
 typedef struct _spl_array_object {
        zval              array;
@@ -1429,15 +1429,14 @@ static void spl_array_method(INTERNAL_FUNCTION_PARAMETERS, char *fname, int fnam
                intern->nApplyCount++;
                call_user_function(EG(function_table), NULL, &function_name, return_value, 1, params);
                intern->nApplyCount--;
-       } else if (use_arg == SPL_ARRAY_METHOD_MAY_USER_ARG) {
-               if (zend_parse_parameters(ZEND_NUM_ARGS(), "|z", &arg) == FAILURE) {
+       } else if (use_arg == SPL_ARRAY_METHOD_SORT_FLAGS_ARG) {
+               zend_long sort_flags = 0;
+               if (zend_parse_parameters(ZEND_NUM_ARGS(), "|l", &sort_flags) == FAILURE) {
                        goto exit;
                }
-               if (arg) {
-                       ZVAL_COPY_VALUE(&params[1], arg);
-               }
+               ZVAL_LONG(&params[1], sort_flags);
                intern->nApplyCount++;
-               call_user_function(EG(function_table), NULL, &function_name, return_value, arg ? 2 : 1, params);
+               call_user_function(EG(function_table), NULL, &function_name, return_value, 2, params);
                intern->nApplyCount--;
        } else {
                if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &arg) == FAILURE) {
@@ -1468,16 +1467,16 @@ PHP_METHOD(cname, fname) \
 }
 
 /* {{{ Sort the entries by values. */
-SPL_ARRAY_METHOD(ArrayObject, asort, SPL_ARRAY_METHOD_MAY_USER_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, asort, SPL_ARRAY_METHOD_SORT_FLAGS_ARG) /* }}} */
 
 /* {{{ Sort the entries by key. */
-SPL_ARRAY_METHOD(ArrayObject, ksort, SPL_ARRAY_METHOD_MAY_USER_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, ksort, SPL_ARRAY_METHOD_SORT_FLAGS_ARG) /* }}} */
 
 /* {{{ Sort the entries by values user defined function. */
-SPL_ARRAY_METHOD(ArrayObject, uasort, SPL_ARRAY_METHOD_USE_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, uasort, SPL_ARRAY_METHOD_CALLBACK_ARG) /* }}} */
 
 /* {{{ Sort the entries by key using user defined function. */
-SPL_ARRAY_METHOD(ArrayObject, uksort, SPL_ARRAY_METHOD_USE_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, uksort, SPL_ARRAY_METHOD_CALLBACK_ARG) /* }}} */
 
 /* {{{ Sort the entries by values using "natural order" algorithm. */
 SPL_ARRAY_METHOD(ArrayObject, natsort, SPL_ARRAY_METHOD_NO_ARG) /* }}} */

diff --git a/ext/spl/tests/arrayObject_asort_basic1.phpt b/ext/spl/tests/arrayObject_asort_basic1.phpt
index 555b215ccedce0e103039b39a6f0ab13ad3bec03..efce55d4d58743330203939de93cffaf317c1efc 100644 (file)
--- a/ext/spl/tests/arrayObject_asort_basic1.phpt
+++ b/ext/spl/tests/arrayObject_asort_basic1.phpt
@@ -36,7 +36,7 @@ object(ArrayObject)#%d (1) {
     int(4)
   }
 }
-asort(): Argument #2 ($flags) must be of type int, string given
+ArrayObject::asort(): Argument #1 ($flags) must be of type int, string given
 object(ArrayObject)#%d (1) {
   ["storage":"ArrayObject":private]=>
   array(3) {

diff --git a/ext/spl/tests/arrayObject_ksort_basic1.phpt b/ext/spl/tests/arrayObject_ksort_basic1.phpt
index d853e3c017bc31b4c51194b223ba2f300a7c4a3d..27605461cbebc82ed0b62313608d3525211392aa 100644 (file)
--- a/ext/spl/tests/arrayObject_ksort_basic1.phpt
+++ b/ext/spl/tests/arrayObject_ksort_basic1.phpt
@@ -35,7 +35,7 @@ object(ArrayObject)#%d (1) {
     int(3)
   }
 }
-ksort(): Argument #2 ($flags) must be of type int, string given
+ArrayObject::ksort(): Argument #1 ($flags) must be of type int, string given
 object(ArrayObject)#2 (1) {
   ["storage":"ArrayObject":private]=>
   array(4) {