From: Dmitry Stogov Date: Mon, 25 Dec 2006 19:23:18 +0000 (+0000) Subject: Fixed bug #39825 (foreach produces memory error) X-Git-Tag: RELEASE_1_0_0RC1~509 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e88cc26864aef66cb01cad29eb18a3fe37bab8e0;p=php Fixed bug #39825 (foreach produces memory error) --- diff --git a/Zend/tests/bug39825.phpt b/Zend/tests/bug39825.phpt new file mode 100755 index 0000000000..791b329f71 --- /dev/null +++ b/Zend/tests/bug39825.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #39825 (foreach produces memory error) +--FILE-- + 2, "foo" => "bar"); +$obj = (object)$array; +foreach ($obj as $name => $value) { + echo "$name -> $value\n"; +} +?> +--EXPECT-- +1 -> 2 +foo -> bar diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 86b5dc5471..06e3d89158 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -3284,7 +3284,8 @@ ZEND_VM_HANDLER(77, ZEND_FE_RESET, CONST|TMP|VAR|CV, ANY) key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL); if (key_type != HASH_KEY_NON_EXISTANT && - zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) { + (key_type == HASH_KEY_IS_LONG || + zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) { break; } zend_hash_move_forward(fe_ht); @@ -3343,8 +3344,10 @@ ZEND_VM_HANDLER(78, ZEND_FE_FETCH, VAR, ANY) key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL); zend_hash_move_forward(fe_ht); - } while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS); - if (use_key) { + } while (key_type == HASH_KEY_NON_EXISTANT || + (key_type != HASH_KEY_IS_LONG && + zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS)); + if (use_key && key_type != HASH_KEY_IS_LONG) { zend_u_unmangle_property_name(key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1, &class_name, &prop_name); if (key_type == HASH_KEY_IS_UNICODE) { str_key_len = u_strlen(prop_name.u); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 660f418ad9..e9a53e5fa0 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -2227,7 +2227,8 @@ static int ZEND_FE_RESET_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL); if (key_type != HASH_KEY_NON_EXISTANT && - zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) { + (key_type == HASH_KEY_IS_LONG || + zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) { break; } zend_hash_move_forward(fe_ht); @@ -4834,7 +4835,8 @@ static int ZEND_FE_RESET_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL); if (key_type != HASH_KEY_NON_EXISTANT && - zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) { + (key_type == HASH_KEY_IS_LONG || + zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) { break; } zend_hash_move_forward(fe_ht); @@ -8046,7 +8048,8 @@ static int ZEND_FE_RESET_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL); if (key_type != HASH_KEY_NON_EXISTANT && - zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) { + (key_type == HASH_KEY_IS_LONG || + zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) { break; } zend_hash_move_forward(fe_ht); @@ -8105,8 +8108,10 @@ static int ZEND_FE_FETCH_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL); zend_hash_move_forward(fe_ht); - } while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS); - if (use_key) { + } while (key_type == HASH_KEY_NON_EXISTANT || + (key_type != HASH_KEY_IS_LONG && + zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS)); + if (use_key && key_type != HASH_KEY_IS_LONG) { zend_u_unmangle_property_name(key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1, &class_name, &prop_name); if (key_type == HASH_KEY_IS_UNICODE) { str_key_len = u_strlen(prop_name.u); @@ -20601,7 +20606,8 @@ static int ZEND_FE_RESET_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL); if (key_type != HASH_KEY_NON_EXISTANT && - zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) { + (key_type == HASH_KEY_IS_LONG || + zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) { break; } zend_hash_move_forward(fe_ht);