From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 11 May 2010 11:59:13 +0000 (+0000)
Subject: Fixed a possible memory corruption in substr_replace()
X-Git-Tag: php-5.3.3RC1~187
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=57f8649eac065ef6f43646e0df6a8610032ef131;p=php

Fixed a possible memory corruption in substr_replace()
---

diff --git a/NEWS b/NEWS
index 689977e133..d754a30d68 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
 - Fixed a possible memory corruption because of unexpected call-time pass by
   refernce and following memory clobbering through callbacks.
   Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in substr_replace(). Reported by Stefan    
+  Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan    
   Esser (Dmitry)
 - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan    
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 88b8099683..faad22de52 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2219,12 +2219,21 @@ PHP_FUNCTION(substr_replace)
 	}
 	
 	if (Z_TYPE_PP(str) != IS_ARRAY) {
+		if (Z_ISREF_PP(str)) {
+			SEPARATE_ZVAL(str);
+		}
 		convert_to_string_ex(str);
 	}
 	if (Z_TYPE_PP(repl) != IS_ARRAY) {
+		if (Z_ISREF_PP(repl)) {
+			SEPARATE_ZVAL(repl);
+		}
 		convert_to_string_ex(repl);
 	}
 	if (Z_TYPE_PP(from) != IS_ARRAY) {
+		if (Z_ISREF_PP(from)) {
+			SEPARATE_ZVAL(from);
+		}
 		convert_to_long_ex(from);
 	}