]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 12db8b9)
Fixed bug #79930
authorNikita Popov <nikita.ppv@gmail.com>
Wed, 5 Aug 2020 13:41:42 +0000 (15:41 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Wed, 5 Aug 2020 13:43:41 +0000 (15:43 +0200)
We're inserting src_zval, so that's what we should addref.

NEWS patch | blob | history
ext/standard/array.c patch | blob | history
ext/standard/tests/array/bug79930.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index cdeb8506ba170ad7c828e424e54840bd1e6b4afc..172a78162241f371959d798646722d7d3f55aa0c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,10 @@ PHP                                                                        NEWS
   . Fixed bug #73060 (php failed with error after temp folder cleaned up).
     (cmb)
 
+- Standard:
+  . Fixed bug #79930 (array_merge_recursive() crashes when called with array
+    with single reference). (Nikita)
+
 06 Aug 2020, PHP 7.3.21
 
 - Apache:
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 300f71493238ef0b6e04fcaa2ee2a11488edb465..09c3a9f256b9df2e1764df0cc7447dd81c60c1b0 100644 (file)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -3615,7 +3615,7 @@ PHPAPI int php_array_merge_recursive(HashTable *dest, HashTable *src) /* {{{ */
                                                return 0;
                                        }
                                } else {
-                                       Z_TRY_ADDREF_P(src_entry);
+                                       Z_TRY_ADDREF_P(src_zval);
                                        zend_hash_next_index_insert(Z_ARRVAL_P(dest_zval), src_zval);
                                }
                                zval_ptr_dtor(&tmp);
diff --git a/ext/standard/tests/array/bug79930.phpt b/ext/standard/tests/array/bug79930.phpt
new file mode 100644 (file)
index 0000000..bb4e1dd
--- /dev/null
+++ b/ext/standard/tests/array/bug79930.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #79930: array_merge_recursive() crashes when called with array with single reference
+--FILE--
+<?php
+
+$a = 'a';
+$array = [
+    'value' => $a . 'b',
+];
+
+// Create rc=1 reference.
+array_walk($array, function () {});
+
+$m = array_merge_recursive(['value' => 'a'], $array);
+
+var_dump($a, $array, $m);
+
+?>
+--EXPECT--
+string(1) "a"
+array(1) {
+  ["value"]=>
+  string(2) "ab"
+}
+array(1) {
+  ["value"]=>
+  array(2) {
+    [0]=>
+    string(1) "a"
+    [1]=>
+    string(2) "ab"
+  }
+}
Unnamed repository; edit this file 'description' to name the repository.