From: Antony Dovgal <tony2001@php.net>
Date: Wed, 26 Jul 2006 08:03:48 +0000 (+0000)
Subject: MFH: fix bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too much... 
X-Git-Tag: php-5.2.0RC2~208
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=65626296dab1ad4748653b4e418615c16d84d49a;p=php

MFH: fix bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too much memory)
---

diff --git a/NEWS b/NEWS
index 7dfe2412e0..8c0b3446a6 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
   . ext/filepro (Derick, Tony)
   . ext/hwapi (Derick, Tony)
 
+- Fixed bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too 
+  much memory). (Tony)
 - Fixed bug #38194 (ReflectionClass::isSubclassOf() returns TRUE for the class
   itself). (Ilia)
 - Fixed bug #38132 (ReflectionClass::getStaticProperties() retains \0 in key
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 20de73ce09..d6a5f909ed 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3394,7 +3394,7 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 	zval *retval_ptr;
 	reflection_object *intern;
 	zend_class_entry *ce;
-	int argc;
+	int argc = 0;
 	HashTable *args;
 	
 	
@@ -3404,11 +3404,13 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|h", &args) == FAILURE) {
 		return;
 	}
-	argc = args->nNumOfElements;
+	if (ZEND_NUM_ARGS() > 0) {
+		argc = args->nNumOfElements;
+	}
 	
 	/* Run the constructor if there is one */
 	if (ce->constructor) {
-		zval ***params;
+		zval ***params = NULL;
 		zend_fcall_info fci;
 		zend_fcall_info_cache fcc;
 
@@ -3416,10 +3418,12 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 			zend_throw_exception_ex(reflection_exception_ptr, 0 TSRMLS_CC, "Access to non-public constructor of class %s", ce->name);
 			return;
 		}
-
-		params = safe_emalloc(sizeof(zval **), argc, 0);
-		zend_hash_apply_with_argument(args, (apply_func_arg_t)_zval_array_to_c_array, &params TSRMLS_CC);	
-		params -= argc;
+		
+		if (argc) {
+			params = safe_emalloc(sizeof(zval **), argc, 0);
+			zend_hash_apply_with_argument(args, (apply_func_arg_t)_zval_array_to_c_array, &params TSRMLS_CC);	
+			params -= argc;
+		}
 
 		object_init_ex(return_value, ce);
 
@@ -3439,7 +3443,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 		fcc.object_pp = &return_value;
 
 		if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
-			efree(params);
+			if (params) {
+				efree(params);
+			}
 			zval_ptr_dtor(&retval_ptr);
 			zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
 			RETURN_NULL();
@@ -3447,7 +3453,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 		if (retval_ptr) {
 			zval_ptr_dtor(&retval_ptr);
 		}
-		efree(params);
+		if (params) {
+			efree(params);
+		}
 	} else if (!ZEND_NUM_ARGS()) {
 		object_init_ex(return_value, ce);
 	} else {
diff --git a/ext/reflection/tests/bug38217.phpt b/ext/reflection/tests/bug38217.phpt
new file mode 100644
index 0000000000..55e0c46644
--- /dev/null
+++ b/ext/reflection/tests/bug38217.phpt
@@ -0,0 +1,40 @@
+--TEST--
+#38217 (ReflectionClass::newInstanceArgs() tries to allocate too much memory)
+--FILE--
+<?php
+
+class Object {
+	public function __construct() {
+	}
+}
+
+$class= new ReflectionClass('Object');
+var_dump($class->newInstanceArgs());
+
+class Object1 {
+	public function __construct($var) {
+		var_dump($var);
+	}
+}
+
+$class= new ReflectionClass('Object1');
+var_dump($class->newInstanceArgs());
+var_dump($class->newInstanceArgs(array('test')));
+
+
+echo "Done\n";
+?>
+--EXPECTF--	
+object(Object)#%d (0) {
+}
+
+Warning: Missing argument 1 for Object1::__construct() in %s on line %d
+
+Notice: Undefined variable: var in %s on line %d
+NULL
+object(Object1)#%d (0) {
+}
+string(4) "test"
+object(Object1)#%d (0) {
+}
+Done