From 2c36778e47b6a14156da7a7a8b665637f12b1d3d Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Mon, 22 Jan 2007 08:17:26 +0000
Subject: [PATCH] MFH: fix #40191 (use of array_unique() with objects triggers
 segfault)

---
 NEWS                                   |  2 ++
 ext/standard/array.c                   |  6 +++---
 ext/standard/tests/array/bug40191.phpt | 23 +++++++++++++++++++++++
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/array/bug40191.phpt

diff --git a/NEWS b/NEWS
index 80b0c5d8c4..57c33e9779 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Jan 2007, PHP 5.2.1RC4
+- Fixed bug #40191 (use of array_unique() with objects triggers segfault).
+  (Tony)
 - Fixed bug #40169 (CURLOPT_TCP_NODELAY only available in curl >= 7.11.2). 
   (Tony)
 - Fixed bug #39450 (getenv() fills other super-globals). (Ilia, Tony)
diff --git a/ext/standard/array.c b/ext/standard/array.c
index a159c2ae38..be3e73c191 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2792,7 +2792,7 @@ PHP_FUNCTION(array_change_key_case)
    Removes duplicate values from array */
 PHP_FUNCTION(array_unique)
 {
-	zval **array;
+	zval **array, *tmp;
 	HashTable *target_hash;
 	Bucket *p;
 	struct bucketindex {
@@ -2811,8 +2811,8 @@ PHP_FUNCTION(array_unique)
 		RETURN_FALSE;
 	}
 
-	/* copy the argument array */
-	RETVAL_ZVAL(*array, 1, 0);
+	array_init(return_value);
+	zend_hash_copy(Z_ARRVAL_P(return_value), target_hash, (copy_ctor_func_t) zval_add_ref, (void *)&tmp, sizeof(zval*));
 
 	if (target_hash->nNumOfElements <= 1) {	/* nothing to do */
 		return;
diff --git a/ext/standard/tests/array/bug40191.phpt b/ext/standard/tests/array/bug40191.phpt
new file mode 100644
index 0000000000..8a68294faf
--- /dev/null
+++ b/ext/standard/tests/array/bug40191.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #40191 (use of array_unique() with objects triggers segfault)
+--FILE--
+<?php
+
+$arrObj = new ArrayObject();
+$arrObj->append('foo');
+$arrObj->append('bar');
+$arrObj->append('foo');
+
+$arr = array_unique($arrObj);
+var_dump($arr);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+array(2) {
+  [0]=>
+  string(3) "foo"
+  [1]=>
+  string(3) "bar"
+}
+Done
-- 
2.50.1