From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 19 Jun 2008 12:09:22 +0000 (+0000)
Subject: Fixed bug #45312 (Segmentation fault on second request for array functions).
X-Git-Tag: php-5.2.7RC1~230
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=764f6144d391149682237b6550f4c06d978dfd99;p=php

Fixed bug #45312 (Segmentation fault on second request for array functions).
---

diff --git a/NEWS b/NEWS
index 1eeee9a174..a24c01d94e 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   functions. (Andrey)
 - Fixed a bug where exec() on Windows would eat the first and last double quotes
   (Scott)
+- Fixed bug #45312 (Segmentation fault on second request for array functions).
+  (Dmitry)
 - Fixed bug #45251 (double free or corruption with setAttributeNode()). (Rob)
 - Fixed bug #45139 (ReflectionProperty returns incorrect declaring class). (Felipe)
 - Fixed bug #45004 (pg_insert() does not accept 4 digit timezone format).
diff --git a/ext/standard/array.c b/ext/standard/array.c
index fcf9919562..f6b9144a87 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -667,6 +667,7 @@ PHP_FUNCTION(usort)
 		PHP_ARRAY_CMP_FUNC_RESTORE();
 		WRONG_PARAM_COUNT;
 	}
+
 	target_hash = HASH_OF(*array);
 	if (!target_hash) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array");
@@ -675,6 +676,7 @@ PHP_FUNCTION(usort)
 	}
 
 	PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name))
+	BG(user_compare_fci_cache).initialized = 0;
 	
 	if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 1 TSRMLS_CC) == FAILURE) {
 		PHP_ARRAY_CMP_FUNC_RESTORE();
@@ -707,6 +709,7 @@ PHP_FUNCTION(uasort)
 	}
 
 	PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name))
+	BG(user_compare_fci_cache).initialized = 0;
 
 	if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 0 TSRMLS_CC) == FAILURE) {
 		PHP_ARRAY_CMP_FUNC_RESTORE();
@@ -790,6 +793,7 @@ PHP_FUNCTION(uksort)
 	}
 
 	PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name))
+	BG(user_compare_fci_cache).initialized = 0;
 
 	if (zend_hash_sort(target_hash, zend_qsort, array_user_key_compare, 0 TSRMLS_CC) == FAILURE) {
 		PHP_ARRAY_CMP_FUNC_RESTORE();
@@ -2988,6 +2992,7 @@ static void php_array_intersect_key(INTERNAL_FUNCTION_PARAMETERS, int data_compa
 		efree(callback_name);
 		intersect_data_compare_func = zval_user_compare;
 		BG(user_compare_func_name) = args[argc];
+		BG(user_compare_fci_cache).initialized = 0;
 	} else if (data_compare_type == INTERSECT_COMP_DATA_INTERNAL) {
 		intersect_data_compare_func = zval_compare;
 	}
@@ -3091,6 +3096,7 @@ static void php_array_intersect(INTERNAL_FUNCTION_PARAMETERS, int behavior, int
 			efree(callback_name);
 
 			BG(user_compare_func_name) = args[arr_argc];
+			BG(user_compare_fci_cache).initialized = 0;
 		} else {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "data_compare_type is %d. This should never happen. Please report as a bug", data_compare_type);
 			return;
@@ -3152,6 +3158,7 @@ static void php_array_intersect(INTERNAL_FUNCTION_PARAMETERS, int behavior, int
 				intersect_key_compare_func = array_user_key_compare;
 				intersect_data_compare_func = array_data_compare;
 				BG(user_compare_func_name) = args[arr_argc];
+				BG(user_compare_fci_cache).initialized = 0;
 		} else if (data_compare_type == INTERSECT_COMP_DATA_USER
 				&&
 				key_compare_type == INTERSECT_COMP_KEY_USER) {
@@ -3179,6 +3186,7 @@ static void php_array_intersect(INTERNAL_FUNCTION_PARAMETERS, int behavior, int
 				intersect_key_compare_func = array_user_key_compare;
 				intersect_data_compare_func = array_user_compare;
 				BG(user_compare_func_name) = args[arr_argc + 1];/* data - key */
+				BG(user_compare_fci_cache).initialized = 0;
 		} else {
 			efree(args);
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "data_compare_type is %d. key_compare_type is %d. This should never happen. Please report as a bug", data_compare_type, key_compare_type);
@@ -3237,6 +3245,7 @@ static void php_array_intersect(INTERNAL_FUNCTION_PARAMETERS, int behavior, int
 	if ((behavior & INTERSECT_NORMAL) && data_compare_type == INTERSECT_COMP_DATA_USER) {
 		/* array_uintersect() */
 		BG(user_compare_func_name) = args[arr_argc];
+		BG(user_compare_fci_cache).initialized = 0;
 	}
 	
 	/* go through the lists and look for common values */
@@ -3246,6 +3255,7 @@ static void php_array_intersect(INTERNAL_FUNCTION_PARAMETERS, int behavior, int
 			key_compare_type == INTERSECT_COMP_KEY_USER) {
 
 			BG(user_compare_func_name) = args[argc - 1];
+			BG(user_compare_fci_cache).initialized = 0;
 		}
 
 		for (i = 1; i < arr_argc; i++) {
@@ -3267,11 +3277,13 @@ static void php_array_intersect(INTERNAL_FUNCTION_PARAMETERS, int behavior, int
 					*/ 
 					if (data_compare_type == INTERSECT_COMP_DATA_USER) {
 						BG(user_compare_func_name) = args[arr_argc];
+						BG(user_compare_fci_cache).initialized = 0;
 					}
 				 	if (intersect_data_compare_func(ptrs[0], ptrs[i] TSRMLS_CC) != 0) {
 				 		c = 1;
 				 		if (key_compare_type == INTERSECT_COMP_KEY_USER) {
 				 			BG(user_compare_func_name) = args[argc - 1];
+							BG(user_compare_fci_cache).initialized = 0;
 				 			/* When KEY_USER, the last parameter is always the callback */
 				 		}
 				 		/* we are going to the break */
@@ -3458,6 +3470,7 @@ static void php_array_diff_key(INTERNAL_FUNCTION_PARAMETERS, int data_compare_ty
 		efree(callback_name);
 		diff_data_compare_func = zval_user_compare;
 		BG(user_compare_func_name) = args[argc];
+		BG(user_compare_fci_cache).initialized = 0;
 	} else if (data_compare_type == DIFF_COMP_DATA_INTERNAL) {
 		diff_data_compare_func = zval_compare;
 	}
@@ -3561,6 +3574,7 @@ static void php_array_diff(INTERNAL_FUNCTION_PARAMETERS, int behavior, int data_
 			efree(callback_name);
 
 			BG(user_compare_func_name) = args[arr_argc];
+			BG(user_compare_fci_cache).initialized = 0;
 		} else {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "data_compare_type is %d. This should never happen. Please report as a bug", data_compare_type);
 			return;		
@@ -3622,6 +3636,7 @@ static void php_array_diff(INTERNAL_FUNCTION_PARAMETERS, int behavior, int data_
 			diff_key_compare_func = array_user_key_compare;
 			diff_data_compare_func = array_data_compare;
 			BG(user_compare_func_name) = args[arr_argc];
+			BG(user_compare_fci_cache).initialized = 0;
 		} else if (data_compare_type == DIFF_COMP_DATA_USER 
 				&& 
 			key_compare_type == DIFF_COMP_KEY_USER) {
@@ -3649,6 +3664,7 @@ static void php_array_diff(INTERNAL_FUNCTION_PARAMETERS, int behavior, int data_
 			diff_key_compare_func = array_user_key_compare;
 			diff_data_compare_func = array_user_compare;
 			BG(user_compare_func_name) = args[arr_argc + 1];/* data - key*/
+			BG(user_compare_fci_cache).initialized = 0;
 		} else {
 			efree(args);
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "data_compare_type is %d. key_compare_type is %d. This should never happen. Please report as a bug", data_compare_type, key_compare_type);
@@ -3707,6 +3723,7 @@ static void php_array_diff(INTERNAL_FUNCTION_PARAMETERS, int behavior, int data_
 	if (behavior == DIFF_NORMAL && data_compare_type == DIFF_COMP_DATA_USER) {
 		/* array_udiff() */
 		BG(user_compare_func_name) = args[arr_argc];
+		BG(user_compare_fci_cache).initialized = 0;
 	}
 	
 	/* go through the lists and look for values of ptr[0] that are not in the others */
@@ -3716,6 +3733,7 @@ static void php_array_diff(INTERNAL_FUNCTION_PARAMETERS, int behavior, int data_
 			key_compare_type == DIFF_COMP_KEY_USER) {
 			
 			BG(user_compare_func_name) = args[argc - 1];
+			BG(user_compare_fci_cache).initialized = 0;
 		}
 		c = 1;
 		for (i = 1; i < arr_argc; i++) {
@@ -3743,12 +3761,14 @@ static void php_array_diff(INTERNAL_FUNCTION_PARAMETERS, int behavior, int data_
 					if (*ptr) {
 						if (data_compare_type == DIFF_COMP_DATA_USER) {
 							BG(user_compare_func_name) = args[arr_argc];
+							BG(user_compare_fci_cache).initialized = 0;
 						}
 						if (diff_data_compare_func(ptrs[0], ptr TSRMLS_CC) != 0) {
 							/* the data is not the same */
 							c = -1;
 							if (key_compare_type == DIFF_COMP_KEY_USER) {
 								BG(user_compare_func_name) = args[argc - 1];
+								BG(user_compare_fci_cache).initialized = 0;
 							}
 						} else {
 							break;
diff --git a/ext/standard/tests/array/bug45312.phpt b/ext/standard/tests/array/bug45312.phpt
new file mode 100644
index 0000000000..017defefae
--- /dev/null
+++ b/ext/standard/tests/array/bug45312.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #45312 (Segmentation fault on second request for array functions)
+--FILE--
+<?php
+class cr {
+    private $priv_member;
+    function cr($val) {
+        $this->priv_member = $val;
+    }
+    static function comp_func_cr($a, $b) {
+        if ($a->priv_member === $b->priv_member) return 0;
+        return ($a->priv_member > $b->priv_member) ? 1 : -1;
+    }
+    static function comp_func_cr2($a, $b) {
+    	echo ".";
+        if ($a->priv_member === $b->priv_member) return 0;
+        return ($a->priv_member < $b->priv_member) ? 1 : -1;
+    }
+    function dump() {
+        echo $this->priv_member . "\n";
+    }
+}
+$a = array("0.1" => new cr(9), "0.5" => new cr(12), 0 => new cr(23), 1 => new cr(4), 2 => new cr(-15),);
+$b = array("0.2" => new cr(9), "0.5" => new cr(22), 0 => new cr(3), 1 => new cr(4), 2 => new cr(-15),);
+$result = array_udiff_assoc($a, $b, array("cr", "comp_func_cr"));
+foreach($result as $val) {
+	$val->dump();
+}
+$result = array_udiff_assoc($a, $b, array("cr", "comp_func_cr2"));
+foreach($result as $val) {
+	$val->dump();
+}
+?>
+--EXPECT--
+9
+12
+23
+....9
+12
+23