From: Antony Dovgal <tony2001@php.net>
Date: Mon, 22 Jan 2007 08:16:36 +0000 (+0000)
Subject: fix #40191 (use of array_unique() with objects triggers segfault)
X-Git-Tag: RELEASE_1_0_0RC1~155
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d181d3a0b34b348ba429ba9665bb93e44eacac99;p=php

fix #40191 (use of array_unique() with objects triggers segfault)
---

diff --git a/ext/standard/array.c b/ext/standard/array.c
index a2514c3c38..9eea074fd0 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2846,7 +2846,7 @@ PHP_FUNCTION(array_change_key_case)
    Removes duplicate values from array */
 PHP_FUNCTION(array_unique)
 {
-	zval *array;
+	zval **array, *tmp;
 	HashTable *target_hash;
 	Bucket *p;
 	struct bucketindex {
@@ -2856,14 +2856,18 @@ PHP_FUNCTION(array_unique)
 	struct bucketindex *arTmp, *cmpdata, *lastkept;
 	unsigned int i;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "a", &array) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Z", &array) == FAILURE) {
 		return;
 	}
 
-	target_hash = HASH_OF(array);
+	target_hash = HASH_OF(*array);
+	if (!target_hash) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array");
+		RETURN_FALSE;
+	}
 
-	/* copy the argument array */
-	RETVAL_ZVAL(array, 1, 0);
+	array_init(return_value);
+	zend_hash_copy(Z_ARRVAL_P(return_value), target_hash, (copy_ctor_func_t) zval_add_ref, (void *)&tmp, sizeof(zval*));
 
 	if (target_hash->nNumOfElements <= 1) {	/* nothing to do */
 		return;
diff --git a/ext/standard/tests/array/bug40191.phpt b/ext/standard/tests/array/bug40191.phpt
new file mode 100644
index 0000000000..d17660e539
--- /dev/null
+++ b/ext/standard/tests/array/bug40191.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug #40191 (use of array_unique() with objects triggers segfault)
+--FILE--
+<?php
+
+$arrObj = new ArrayObject();
+$arrObj->append('foo');
+$arrObj->append('bar');
+$arrObj->append('foo');
+
+$arr = array_unique($arrObj);
+var_dump($arr);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+array(2) {
+  [0]=>
+  string(3) "foo"
+  [1]=>
+  string(3) "bar"
+}
+Done
+--UEXPECTF--
+array(2) {
+  [0]=>
+  unicode(3) "foo"
+  [1]=>
+  unicode(3) "bar"
+}
+Done