From: Etienne Kneuss Date: Sun, 5 Oct 2008 14:49:25 +0000 (+0000) Subject: Fix #46222 (Allow indirect modifications of Arrays inside ArrayObject + fix EG(uninit... X-Git-Tag: php-5.2.7RC1~12 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=47d935664a90a128b34e79f8b74c4dfae02d82bd;p=php Fix #46222 (Allow indirect modifications of Arrays inside ArrayObject + fix EG(uninitialized_zval_ptr) overwrite) --- diff --git a/NEWS b/NEWS index fa661b9756..875aea4fa1 100644 --- a/NEWS +++ b/NEWS @@ -141,6 +141,8 @@ PHP NEWS - Fixed bug #42318 (problem with nm on AIX, not finding object files). (Dmitry) - Fixed bug #41348 (OCI8: allow compilation with Oracle 8.1). (Chris Jones) - Fixed bug #14032 (Mail() always returns false but mail is sent). (Mikko) +- Fixed bug #46222 (ArrayObject EG(uninitialized_var_ptr) overwrite). + (Etienne) 01 May 2008, PHP 5.2.6 - Fixed two possible crashes inside posix extension (Tony) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 5398dd85f9..257b503dce 100755 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -255,6 +255,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC); zval **retval; long index; + HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); /* We cannot get the pointer pointer so we don't allow it here for now if (check_inherited && intern->fptr_offset_get) { @@ -267,9 +268,17 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, switch(Z_TYPE_P(offset)) { case IS_STRING: - if (zend_symtable_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) { - zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset)); - return &EG(uninitialized_zval_ptr); + if (zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) { + if (type == BP_VAR_W || type == BP_VAR_RW) { + zval *value; + ALLOC_INIT_ZVAL(value); + zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL); + zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval); + return retval; + } else { + zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset)); + return &EG(uninitialized_zval_ptr); + } } else { return retval; } @@ -282,9 +291,17 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, } else { index = Z_LVAL_P(offset); } - if (zend_hash_index_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), index, (void **) &retval) == FAILURE) { - zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset)); - return &EG(uninitialized_zval_ptr); + if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) { + if (type == BP_VAR_W || type == BP_VAR_RW) { + zval *value; + ALLOC_INIT_ZVAL(value); + zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL); + zend_hash_index_find(ht, index, (void **) &retval); + return retval; + } else { + zend_error(E_NOTICE, "Undefined offset: %ld", Z_LVAL_P(offset)); + return &EG(uninitialized_zval_ptr); + } } else { return retval; } diff --git a/ext/spl/tests/array_026.phpt b/ext/spl/tests/array_026.phpt new file mode 100644 index 0000000000..94642f04b2 --- /dev/null +++ b/ext/spl/tests/array_026.phpt @@ -0,0 +1,21 @@ +--TEST-- +SPL: ArrayObject indirect offsetGet overwriting EG(uninitialized_zvar_ptr) +--FILE-- + +--EXPECTF-- +Notice: Undefined variable: test3 in %s%earray_026.php on line %d +object(ArrayObject)#%d (1) { + ["d1"]=> + array(2) { + ["d2"]=> + string(5) "hello" + ["d3"]=> + string(5) "world" + } +} +NULL