From: Sascha Schumann Date: Tue, 9 Jan 2001 05:49:37 +0000 (+0000) Subject: php_add_var_hash() uses sizeof(id) in the calls to zend_hash_*, implying X-Git-Tag: php-4.0.5RC1~658 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dbb3402c0fedeef81b3e90790892c6018250f8fb;p=php php_add_var_hash() uses sizeof(id) in the calls to zend_hash_*, implying that all bytes in the character array have been set (they are used to compute the hash value using hashpjw). The function assumes that sprintf's %p modifier would always prefix the output with "0x". On HPUX, this is not the case. Hence, not all bytes may be properly initialized before being read. This has been addressed by using only initialized bytes as the key. --- diff --git a/ext/standard/var.c b/ext/standard/var.c index f7259b702b..8a773ac407 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -161,7 +161,7 @@ inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old) { snprintf(id,sizeof(id)-1, "%p", var); id[sizeof(id)-1]='\0'; - if(var_old && zend_hash_find(var_hash, id, sizeof(id), var_old) == SUCCESS) { + if(var_old && zend_hash_find(var_hash, id, strlen(id), var_old) == SUCCESS) { if(!var->is_ref) { /* we still need to bump up the counter, since non-refs will be counted separately by unserializer */ @@ -172,7 +172,7 @@ inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old) { } var_no = zend_hash_num_elements(var_hash)+1; /* +1 because otherwise hash will think we are trying to store NULL pointer */ - zend_hash_add(var_hash, id, sizeof(id), &var_no, sizeof(var_no), NULL); + zend_hash_add(var_hash, id, strlen(id), &var_no, sizeof(var_no), NULL); return SUCCESS; }