From: Ilia Alshanetsky Date: Thu, 8 Jul 2004 17:07:25 +0000 (+0000) Subject: MFH: Fixed bug #29049 (array sorting via user function/method does not X-Git-Tag: php-4.3.9RC1~55 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aaaa6ce403bb0555733924c2bab3cb618a139d8d;p=php MFH: Fixed bug #29049 (array sorting via user function/method does not validate it). --- diff --git a/NEWS b/NEWS index 1cd388a3f3..7bbbabd310 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,8 @@ PHP 4 NEWS - Updated PCRE to provide better error handling in certain cases. (Andrei) - NSAPI: added "bucket" parameter to list of non-php.ini-keys of php4_execute for doing performance stats without warnings in server-log. (Uwe Schindler) +- Fixed bug #29049 (array sorting via user function/method does not validate + it). (Ilia) - Fixed bug #29034 (wordwrap() returns a boolean when passed empty string). (Ilia) - Fixed bug #28963 (Missing space for \0 in address allocation). (Ilia) diff --git a/ext/standard/array.c b/ext/standard/array.c index 7052c35778..502b1baa35 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -543,6 +543,14 @@ static int array_user_compare(const void *a, const void *b TSRMLS_DC) } } +/* check is comparison function is valid */ +#define PHP_ARRAY_CMP_FUNC_CHECK(func_name) \ + if (!zend_is_callable(*func_name, 0, NULL)) { \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid comparison function."); \ + BG(user_compare_func_name) = old_compare_func; \ + RETURN_FALSE; \ + } \ + /* {{{ proto bool usort(array array_arg, string cmp_function) Sort an array by values using a user-defined comparison function */ PHP_FUNCTION(usort) @@ -562,6 +570,9 @@ PHP_FUNCTION(usort) BG(user_compare_func_name) = old_compare_func; RETURN_FALSE; } + + PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) + if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 1 TSRMLS_CC) == FAILURE) { BG(user_compare_func_name) = old_compare_func; RETURN_FALSE; @@ -590,6 +601,9 @@ PHP_FUNCTION(uasort) BG(user_compare_func_name) = old_compare_func; RETURN_FALSE; } + + PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) + if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 0 TSRMLS_CC) == FAILURE) { BG(user_compare_func_name) = old_compare_func; RETURN_FALSE; @@ -665,6 +679,9 @@ PHP_FUNCTION(uksort) BG(user_compare_func_name) = old_compare_func; RETURN_FALSE; } + + PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) + if (zend_hash_sort(target_hash, zend_qsort, array_user_key_compare, 0 TSRMLS_CC) == FAILURE) { BG(user_compare_func_name) = old_compare_func; RETURN_FALSE;