From 24a1dbabc8252b43c7344ee936890f3c33eb7fef Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 12 May 2010 11:32:25 +0000 Subject: [PATCH] Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser --- NEWS | 2 ++ ext/standard/string.c | 9 ++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 33c1f0d4a0..ac210bc950 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,8 @@ PHP NEWS - Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks. Reported by Stefan Esser (Dmitry) +- Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser + (Dmitry) - Fixed a possible memory corruption in pack(). Reported by Stefan Esser (Dmitry) - Fixed a possible memory corruption in substr_replace(). Reported by Stefan diff --git a/ext/standard/string.c b/ext/standard/string.c index faad22de52..71d472c9cf 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4146,11 +4146,14 @@ PHP_FUNCTION(parse_str) Z_ARRVAL(tmp) = EG(active_symbol_table); sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); } else { + zval ret; + + array_init(&ret); + sapi_module.treat_data(PARSE_STRING, res, &ret TSRMLS_CC); /* Clear out the array that was passed in. */ zval_dtor(arrayArg); - array_init(arrayArg); - - sapi_module.treat_data(PARSE_STRING, res, arrayArg TSRMLS_CC); + arrayArg->type = ret.type; + arrayArg->value = ret.value; } } /* }}} */ -- 2.40.0