From: Dmitry Stogov Date: Thu, 7 Apr 2011 14:52:30 +0000 (+0000) Subject: Fixed bug #54323 (Accessing unset()'ed ArrayObject's property causes crash) X-Git-Tag: php-5.4.0alpha1~191^2~77 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=77ed819430ed74c5b0bb5e13294c74d39f17b774;p=php Fixed bug #54323 (Accessing unset()'ed ArrayObject's property causes crash) --- diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 20aaf464a6..ed87df36ca 100755 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -513,7 +513,34 @@ static void spl_array_unset_dimension_ex(int check_inherited, zval *object, zval } else { if (zend_symtable_del(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1) == FAILURE) { zend_error(E_NOTICE,"Undefined index: %s", Z_STRVAL_P(offset)); - } + } else { + spl_array_object *obj = intern; + + while (1) { + if ((obj->ar_flags & SPL_ARRAY_IS_SELF) != 0) { + break; + } else if (Z_TYPE_P(obj->array) == IS_OBJECT) { + if ((obj->ar_flags & SPL_ARRAY_USE_OTHER) == 0) { + obj = (spl_array_object*)zend_object_store_get_object(obj->array TSRMLS_CC); + break; + } else { + obj = (spl_array_object*)zend_object_store_get_object(obj->array TSRMLS_CC); + } + } else { + obj = NULL; + break; + } + } + if (obj) { + zend_property_info *property_info = zend_get_property_info(obj->std.ce, offset, 1 TSRMLS_CC); + + if (property_info && + (property_info->flags & ZEND_ACC_STATIC) == 0 && + property_info->offset >= 0) { + obj->std.properties_table[property_info->offset] = NULL; + } + } + } } break; case IS_DOUBLE: diff --git a/ext/spl/tests/bug54323.phpt b/ext/spl/tests/bug54323.phpt new file mode 100644 index 0000000000..35a16a4637 --- /dev/null +++ b/ext/spl/tests/bug54323.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug #54323 (Accessing unset()'ed ArrayObject's property causes crash) +--FILE-- +$value) { + } + unset($ao['prop']); + var_dump($c->prop, $ao['prop']); +} +--EXPECTF-- +Notice: Undefined property: C::$prop in %sbug54323.php on line 14 + +Notice: Undefined index: prop in %sbug54323.php on line 14 +NULL +NULL