From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 11 May 2010 10:41:19 +0000 (+0000)
Subject: Fixed a possible memory corruption because of unexpected call-time pass by refernce... 
X-Git-Tag: php-5.3.3RC1~188
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5b18acdcc917e93ef9470119c034210ad0129de8;p=php

Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
---

diff --git a/NEWS b/NEWS
index 052dd8f06f..689977e133 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,9 @@ PHP                                                                        NEWS
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)
 
+- Fixed a possible memory corruption because of unexpected call-time pass by
+  refernce and following memory clobbering through callbacks.
+  Reported by Stefan Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan    
   Esser (Dmitry)
 - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan    
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 0b9823a989..49464705da 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -412,6 +412,12 @@ static char *zend_parse_arg_impl(int arg_num, zval **arg, va_list *va, char **sp
 					case IS_DOUBLE:
 					case IS_BOOL:
 						convert_to_string_ex(arg);
+						if (UNEXPECTED(Z_ISREF_PP(arg) != 0)) {
+							/* it's dangerous to return pointers to string
+							   buffer of referenced variable, because it can
+							   be clobbered throug magic callbacks */
+							SEPARATE_ZVAL(arg);
+						}
 						*p = Z_STRVAL_PP(arg);
 						*pl = Z_STRLEN_PP(arg);
 						break;