From: Sascha Schumann <sas@php.net>
Date: Tue, 22 Jul 2003 01:10:30 +0000 (+0000)
Subject: Proper fix for #24592
X-Git-Tag: php-4.3.3RC2~72
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=07b9f0c1d5dcaee66af24bae6f60469683051590;p=php

Proper fix for #24592

The core issue is that undefined variables are refcounted (refcount != 0)
while is_ref is still set to 0.  I don't know whether this is a bug in
the engine, but is it not the first time this irregularity has caused
problems for the session extension.

The irregularity confused ZEND_SET_SYMBOL_WITH_LENGTH which then did
the wrong thing WRT null values.

Fortunately, nulls can simply be ignored in this case, thus the old
code is restored and a new condition is added.
---

diff --git a/ext/session/session.c b/ext/session/session.c
index 57b686cf13..9e7cfc16c0 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -628,19 +628,18 @@ static int migrate_global(HashTable *ht, HashPosition *pos TSRMLS_DC)
 	uint str_len;
 	ulong num_key;
 	int n;
-	zval **val = NULL;
+	zval **val;
 	int ret = 0;
 	
 	n = zend_hash_get_current_key_ex(ht, &str, &str_len, &num_key, 0, pos);
 
 	switch (n) {
 		case HASH_KEY_IS_STRING:
-			if (zend_hash_find(&EG(symbol_table), str, str_len, (void **) &val) == SUCCESS && val) {
-				if (!PZVAL_IS_REF(*val)) {
-					(*val)->is_ref = 1;
-					(*val)->refcount += 1;
-					zend_hash_update(ht, str, str_len, val, sizeof(zval *), NULL);
-				}
+			if (zend_hash_find(&EG(symbol_table), str, str_len, 
+						(void **) &val) == SUCCESS 
+					&& val && Z_TYPE_PP(val) != IS_NULL) {
+				ZEND_SET_SYMBOL_WITH_LENGTH(ht, str, str_len, *val, 
+						(*val)->refcount + 1 , 1);
 				ret = 1;
 			}
 			break;