From: Antony Dovgal <tony2001@php.net>
Date: Wed, 23 Nov 2005 11:55:46 +0000 (+0000)
Subject: MF51: fix #35336 (crash on PDO::FETCH_CLASS + __set())
X-Git-Tag: RELEASE_2_0_2~116
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9e9a55f9ac6c7f2320d31dace7f8a6577278eb65;p=php

MF51: fix #35336 (crash on PDO::FETCH_CLASS + __set())
---

diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index c96f456757..786868fa05 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -1076,18 +1076,20 @@ static int zend_merge_property(zval **value, int num_args, va_list args, zend_ha
 	if (hash_key->nKeyLength) {
 		zval *obj = va_arg(args, zval *);
 		zend_object_handlers *obj_ht = va_arg(args, zend_object_handlers *);
-		zval member;
+		zval *member;
 		TSRMLS_FETCH();
 
 		if (hash_key->type == IS_STRING) {
-			ZVAL_STRINGL(&member, hash_key->u.string, hash_key->nKeyLength-1, 0);
+			ZVAL_STRINGL(member, hash_key->u.string, hash_key->nKeyLength-1, 0);
 		} else if (hash_key->type == IS_BINARY) {
-			ZVAL_BINARYL(&member, hash_key->u.string, hash_key->nKeyLength-1, 0);
+			ZVAL_BINARYL(member, hash_key->u.string, hash_key->nKeyLength-1, 0);
 		} else if (hash_key->type == IS_UNICODE) {
-			ZVAL_UNICODEL(&member, hash_key->u.unicode, hash_key->nKeyLength-1, 0);
+			ZVAL_UNICODEL(member, hash_key->u.unicode, hash_key->nKeyLength-1, 0);
 		}
 
-		obj_ht->write_property(obj, &member, *value TSRMLS_CC);
+		MAKE_STD_ZVAL(member);
+		obj_ht->write_property(obj, member, *value TSRMLS_CC);
+		zval_ptr_dtor(&member);
 	}
 	return ZEND_HASH_APPLY_KEEP;
 }
@@ -1163,7 +1165,7 @@ ZEND_API void zend_update_class_constants(zend_class_entry *class_type TSRMLS_DC
 					
 					ALLOC_ZVAL(q);
 					*q = **p;
-					INIT_PZVAL(q)
+					INIT_PZVAL(q);
 					zval_copy_ctor(q);
 					zend_u_hash_add(class_type->static_members, utype, str_index, str_length, (void**)&q, sizeof(zval*), NULL);
 				}
@@ -1699,58 +1701,68 @@ ZEND_API int add_get_index_unicodel(zval *arg, ulong index, UChar *str, uint len
 ZEND_API int add_property_long_ex(zval *arg, char *key, uint key_len, long n TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_LONG(tmp, n);
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_bool_ex(zval *arg, char *key, uint key_len, int b TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_BOOL(tmp, b);
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_null_ex(zval *arg, char *key, uint key_len TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 	
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_NULL(tmp);
 	
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_resource_ex(zval *arg, char *key, uint key_len, long n TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 	
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_RESOURCE(tmp, n);
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
+
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
@@ -1758,14 +1770,17 @@ ZEND_API int add_property_resource_ex(zval *arg, char *key, uint key_len, long n
 ZEND_API int add_property_double_ex(zval *arg, char *key, uint key_len, double d TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_DOUBLE(tmp, d);
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
@@ -1773,100 +1788,113 @@ ZEND_API int add_property_double_ex(zval *arg, char *key, uint key_len, double d
 ZEND_API int add_property_string_ex(zval *arg, char *key, uint key_len, char *str, int duplicate TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRING(tmp, str, duplicate);
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_stringl_ex(zval *arg, char *key, uint key_len, char *str, uint length, int duplicate TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRINGL(tmp, str, length, duplicate);
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_ascii_string_ex(zval *arg, char *key, uint key_len, char *str, int duplicate TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_ASCII_STRING(tmp, str, duplicate);
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_ascii_stringl_ex(zval *arg, char *key, uint key_len, char *str, uint length, int duplicate TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_ASCII_STRINGL(tmp, str, length, duplicate);
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_rt_string_ex(zval *arg, char *key, uint key_len, char *str, int duplicate TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_RT_STRING(tmp, str, duplicate);
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_rt_stringl_ex(zval *arg, char *key, uint key_len, char *str, uint length, int duplicate TSRMLS_DC)
 {
 	zval *tmp;
-	zval z_key;
+	zval *z_key;
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_RT_STRINGL(tmp, str, length, duplicate);
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	MAKE_STD_ZVAL(z_key);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, tmp TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, tmp TSRMLS_CC);
 	zval_ptr_dtor(&tmp); /* write_property will add 1 to refcount */
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
 ZEND_API int add_property_zval_ex(zval *arg, char *key, uint key_len, zval *value TSRMLS_DC)
 {
-	zval z_key;
+	zval *z_key;
 
-	ZVAL_STRINGL(&z_key, key, key_len-1, 0);
+	ZVAL_STRINGL(z_key, key, key_len-1, 1);
 
-	Z_OBJ_HANDLER_P(arg, write_property)(arg, &z_key, value TSRMLS_CC);
+	Z_OBJ_HANDLER_P(arg, write_property)(arg, z_key, value TSRMLS_CC);
+	zval_ptr_dtor(&z_key);
 	return SUCCESS;
 }
 
@@ -3098,7 +3126,7 @@ ZEND_API int zend_declare_class_constant_string(zend_class_entry *ce, char *name
 
 ZEND_API void zend_update_property(zend_class_entry *scope, zval *object, char *name, int name_length, zval *value TSRMLS_DC)
 {
-	zval property;
+	zval *property;
 	zend_class_entry *old_scope = EG(scope);
 	
 	EG(scope) = scope;
@@ -3111,8 +3139,10 @@ ZEND_API void zend_update_property(zend_class_entry *scope, zval *object, char *
 		
 		zend_error(E_CORE_ERROR, "Property %s of class %v cannot be updated", name, class_name);
 	}
-	ZVAL_STRINGL(&property, name, name_length, 0);
-	Z_OBJ_HT_P(object)->write_property(object, &property, value TSRMLS_CC);
+	MAKE_STD_ZVAL(property);
+	ZVAL_STRINGL(property, name, name_length, 1);
+	Z_OBJ_HT_P(object)->write_property(object, property, value TSRMLS_CC);
+	zval_ptr_dtor(&property);
 
 	EG(scope) = old_scope;
 }