From: Dmitry Stogov Date: Thu, 1 Sep 2005 12:01:28 +0000 (+0000) Subject: Fixed bug #34277 (array_filter() crashes with references and objects) X-Git-Tag: php-4.4.1RC1~40 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e2aea0d95b6add6288f0afca16a3b41dc40c1d0e;p=php Fixed bug #34277 (array_filter() crashes with references and objects) --- diff --git a/NEWS b/NEWS index f2d8085bf6..7a650171f2 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP 4 NEWS ?? ??? 2005, Version 4.4.1 - Fixed bug #34302 (date('W') do not return leading zeros for week 1 to 9). (Derick) +- Fixed bug #34277 (array_filter() crashes with references and objects). + (Dmitry) - Fixed bug #34191 (ob_gzhandler does not enforce trailing \0). (Ilia) - Fixed bug #34156 (memory usage remains elevated after memory limit is reached). (Ilia) diff --git a/ext/standard/array.c b/ext/standard/array.c index e20e05f2a0..c0d1baa2be 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -3317,6 +3317,7 @@ PHP_FUNCTION(array_reduce) PHP_FUNCTION(array_filter) { zval **input, **callback = NULL; + zval *array; zval **operand; zval **args[1]; zval *retval = NULL; @@ -3335,6 +3336,7 @@ PHP_FUNCTION(array_filter) php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); return; } + array = *input; if (ZEND_NUM_ARGS() > 1) { if (!zend_is_callable(*callback, 0, &callback_name)) { @@ -3346,12 +3348,12 @@ PHP_FUNCTION(array_filter) } array_init(return_value); - if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) + if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) return; - for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); - zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; - zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { + for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); + zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; + zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { if (callback) { args[0] = operand; @@ -3369,7 +3371,7 @@ PHP_FUNCTION(array_filter) continue; zval_add_ref(operand); - switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { + switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { case HASH_KEY_IS_STRING: zend_hash_update(Z_ARRVAL_P(return_value), string_key, string_key_len, operand, sizeof(zval *), NULL); diff --git a/ext/standard/tests/array/bug34227.phpt b/ext/standard/tests/array/bug34227.phpt new file mode 100755 index 0000000000..51064ae8a8 --- /dev/null +++ b/ext/standard/tests/array/bug34227.phpt @@ -0,0 +1,100 @@ +--TEST-- +Bug #34277 (array_filter() crashes with references and objects) +--FILE-- +m2(); + } + + function m2() + { + $this->m3(); + } + + function m3() + { + $this->m4(); + } + + function m4() + { + $this->m5(); + } + + function m5() + { + $this->m6(); + } + + function m6() + { + $this->m7(); + } + + function m7() + { + $this->m8(); + } + + function m8() + { + $this->m9(); + } + + function m9() + { + $this->m10(); + } + + function m10() + { + $this->m11(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); + } + + function m11($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10) + { + $arr = explode('a', 'b'); + } +} + +function f($str) +{ + $obj =& new C; + $obj->m1(); + return TRUE; +} + +function p5($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10, $a11, $a12) +{ + $ret = array_filter(array(0), 'f'); +} + +function p4() +{ + p5(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12); +} + +function p3() +{ + p4(); +} + +function p2() +{ + p3(); +} + +function p1() +{ + p2(); +} + +p1(); +echo "ok\n"; +?> +--EXPECT-- +ok