From 2c5fecfeb44f779df93ce842b70930308bd7bbf9 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 11 May 2010 11:59:13 +0000
Subject: [PATCH] Fixed a possible memory corruption in substr_replace()

---
 ext/standard/string.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 1ffbaa9663..250af0702e 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2219,12 +2219,21 @@ PHP_FUNCTION(substr_replace)
 	}
 	
 	if (Z_TYPE_PP(str) != IS_ARRAY) {
+		if (Z_ISREF_PP(str)) {
+			SEPARATE_ZVAL(str);
+		}
 		convert_to_string_ex(str);
 	}
 	if (Z_TYPE_PP(repl) != IS_ARRAY) {
+		if (Z_ISREF_PP(repl)) {
+			SEPARATE_ZVAL(repl);
+		}
 		convert_to_string_ex(repl);
 	}
 	if (Z_TYPE_PP(from) != IS_ARRAY) {
+		if (Z_ISREF_PP(from)) {
+			SEPARATE_ZVAL(from);
+		}
 		convert_to_long_ex(from);
 	}
 
-- 
2.40.0