From 24a1dbabc8252b43c7344ee936890f3c33eb7fef Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 12 May 2010 11:32:25 +0000
Subject: [PATCH] Fixed a possible memory corruption in parse_str(). Reported
 by Stefan Esser

---
 NEWS                  | 2 ++
 ext/standard/string.c | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 33c1f0d4a0..ac210bc950 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,8 @@ PHP                                                                        NEWS
 - Fixed a possible memory corruption because of unexpected call-time pass by
   refernce and following memory clobbering through callbacks.
   Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser
+  (Dmitry)
 - Fixed a possible memory corruption in pack(). Reported by Stefan Esser
   (Dmitry)
 - Fixed a possible memory corruption in substr_replace(). Reported by Stefan    
diff --git a/ext/standard/string.c b/ext/standard/string.c
index faad22de52..71d472c9cf 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4146,11 +4146,14 @@ PHP_FUNCTION(parse_str)
 		Z_ARRVAL(tmp) = EG(active_symbol_table);
 		sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
 	} else 	{
+		zval ret;
+		
+		array_init(&ret);
+		sapi_module.treat_data(PARSE_STRING, res, &ret TSRMLS_CC);
 		/* Clear out the array that was passed in. */
 		zval_dtor(arrayArg);
-		array_init(arrayArg);
-		
-		sapi_module.treat_data(PARSE_STRING, res, arrayArg TSRMLS_CC);
+		arrayArg->type = ret.type;
+		arrayArg->value = ret.value;
 	}
 }
 /* }}} */
-- 
2.40.0