From: Xinchen Hui <laruence@gmail.com>
Date: Thu, 5 May 2016 07:18:17 +0000 (+0800)
Subject: Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
X-Git-Tag: php-7.0.7RC1~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c15b6134f612948af39c9889b599a8c57e6bdad6;p=php

Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
---

diff --git a/NEWS b/NEWS
index d45eb32438..d0bce0e548 100644
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
   . Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight
     columns). (Tian Yang)
 
+- PCNTL:
+  . Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure
+    overwrite). (Laruence)
+
 - Opcache:
   . Fixed bug #72014 (Including a file with anonymous classes multiple times
     leads to fatal error). (Laruence)
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
index 230cdf443c..ef3c7fbe3d 100644
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -624,12 +624,11 @@ PHP_FUNCTION(pcntl_waitpid)
 	struct rusage rusage;
 #endif
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE)
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE) {
 		return;
+	}
 
-	convert_to_long_ex(z_status);
-
-	status = Z_LVAL_P(z_status);
+	status = zval_get_long(z_status);
 
 #ifdef HAVE_WAIT4
 	if (z_rusage) {
@@ -659,7 +658,8 @@ PHP_FUNCTION(pcntl_waitpid)
 	}
 #endif
 
-	Z_LVAL_P(z_status) = status;
+	zval_dtor(z_status);
+	ZVAL_LONG(z_status, status);
 
 	RETURN_LONG((zend_long) child_id);
 }
@@ -677,12 +677,11 @@ PHP_FUNCTION(pcntl_wait)
 	struct rusage rusage;
 #endif
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE)
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE) {
 		return;
+	}
 
-	convert_to_long_ex(z_status);
-
-	status = Z_LVAL_P(z_status);
+	status = zval_get_long(z_status);
 #ifdef HAVE_WAIT3
 	if (z_rusage) {
 		if (Z_TYPE_P(z_rusage) != IS_ARRAY) {
@@ -711,7 +710,9 @@ PHP_FUNCTION(pcntl_wait)
 		PHP_RUSAGE_TO_ARRAY(rusage, z_rusage);
 	}
 #endif
-	Z_LVAL_P(z_status) = status;
+
+	zval_dtor(z_status);
+	ZVAL_LONG(z_status, status);
 
 	RETURN_LONG((zend_long) child_id);
 }
diff --git a/ext/pcntl/tests/bug72154.phpt b/ext/pcntl/tests/bug72154.phpt
new file mode 100644
index 0000000000..6bbbd4c5f0
--- /dev/null
+++ b/ext/pcntl/tests/bug72154.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
+--SKIPIF--
+<?php if (!extension_loaded("pcntl")) print "skip"; ?>
+--FILE--
+<?php
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_wait($b,0,$c);
+unset($b);
+
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_waitpid(0,$b,0,$c);
+unset($b);
+?>
+--EXPECT--
+int(666)
+int(666)