php_add_var_hash() uses sizeof(id) in the calls to zend_hash_*, implying

that all bytes in the character array have been set (they are used
to compute the hash value using hashpjw).

The function assumes that sprintf's %p modifier would always prefix
the output with "0x".  On HPUX, this is not the case.  Hence, not
all bytes may be properly initialized before being read.

This has been addressed by using only initialized bytes as the key.

diff --git a/ext/standard/var.c b/ext/standard/var.c
index f7259b702b40461a946917983087287577b75f56..8a773ac4075a3bd39f5cad9c9c73dbd5bfb63ae5 100644 (file)
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -161,7 +161,7 @@ inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old) {
        snprintf(id,sizeof(id)-1, "%p", var);
        id[sizeof(id)-1]='\0';
 
-       if(var_old && zend_hash_find(var_hash, id, sizeof(id), var_old) == SUCCESS) {
+       if(var_old && zend_hash_find(var_hash, id, strlen(id), var_old) == SUCCESS) {
                if(!var->is_ref) {
                        /* we still need to bump up the counter, since non-refs will
                           be counted separately by unserializer */
@@ -172,7 +172,7 @@ inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old) {
        }
        
        var_no = zend_hash_num_elements(var_hash)+1; /* +1 because otherwise hash will think we are trying to store NULL pointer */
-       zend_hash_add(var_hash, id, sizeof(id), &var_no, sizeof(var_no), NULL);
+       zend_hash_add(var_hash, id, strlen(id), &var_no, sizeof(var_no), NULL);
        return SUCCESS;
 }