From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 20 Aug 2014 18:06:15 +0000 (+0400)
Subject: Fixed bug #67874 (Crash in array_map())
X-Git-Tag: PRE_64BIT_BRANCH_MERGE~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cf09bc7825fc38a49b878beb9e73093aa0b7cf7e;p=php

Fixed bug #67874 (Crash in array_map())
---

diff --git a/Zend/tests/bug67874.phpt b/Zend/tests/bug67874.phpt
new file mode 100644
index 0000000000..d851c9a4c1
--- /dev/null
+++ b/Zend/tests/bug67874.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #67874 Crash in array_map()
+--FILE--
+<?php
+$a = array(1,2,3);
+$data = array($a);
+$data = array_map('current', $data);
+var_dump($data);
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}
diff --git a/ext/standard/array.c b/ext/standard/array.c
index b503162b86..39526c25b7 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -4438,7 +4438,7 @@ PHP_FUNCTION(array_map)
 	if (n_arrays == 1) {
 		ulong num_key;
 		zend_string *str_key;
-		zval *zv;
+		zval *zv, arg;
 
 		if (Z_TYPE(arrays[0]) != IS_ARRAY) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument #%d should be an array", 2);
@@ -4457,20 +4457,18 @@ PHP_FUNCTION(array_map)
 		ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL(arrays[0]), num_key, str_key, zv) {
 			fci.retval = &result;
 			fci.param_count = 1;
-			fci.params = zv;
+			fci.params = &arg;
 			fci.no_separation = 0;
 			
-			if (Z_REFCOUNTED_P(zv)) {
-				Z_ADDREF_P(zv);
-			}
+			ZVAL_COPY(&arg, zv);
 
 			if (zend_call_function(&fci, &fci_cache TSRMLS_CC) != SUCCESS || Z_TYPE(result) == IS_UNDEF) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "An error occurred while invoking the map callback");
 				zval_dtor(return_value);
-				zval_ptr_dtor(zv);
+				zval_ptr_dtor(&arg);
 				RETURN_NULL();
 			} else {
-				zval_ptr_dtor(zv);
+				zval_ptr_dtor(&arg);
 			}
 			if (str_key) {
 				zend_hash_add_new(Z_ARRVAL_P(return_value), str_key, &result);