From 36f01f158cdcd9b2740388e0675b69652e2c9e6c Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Wed, 5 Mar 2014 17:29:29 +0800 Subject: [PATCH] Fixed NULL pointer dereference --- Zend/zend_API.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Zend/zend_API.c b/Zend/zend_API.c index 7aacad1297..098407d714 100644 --- a/Zend/zend_API.c +++ b/Zend/zend_API.c @@ -3154,19 +3154,20 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch if (zend_hash_num_elements(Z_ARRVAL_P(callable)) == 2) { obj = zend_hash_index_find(Z_ARRVAL_P(callable), 0); - if (UNEXPECTED(Z_ISREF_P(obj))) { - obj = Z_REFVAL_P(obj); - } method = zend_hash_index_find(Z_ARRVAL_P(callable), 1); - if (UNEXPECTED(Z_ISREF_P(method))) { - method = Z_REFVAL_P(method); - } } if (obj && method && (Z_TYPE_P(obj) == IS_OBJECT || Z_TYPE_P(obj) == IS_STRING) && Z_TYPE_P(method) == IS_STRING) { + if (UNEXPECTED(Z_ISREF_P(obj))) { + obj = Z_REFVAL_P(obj); + } + if (UNEXPECTED(Z_ISREF_P(method))) { + method = Z_REFVAL_P(method); + } + if (Z_TYPE_P(obj) == IS_STRING) { if (callable_name) { char *ptr; @@ -3233,7 +3234,9 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch } else { if (zend_hash_num_elements(Z_ARRVAL_P(callable)) == 2) { - if (!obj || (Z_TYPE_P(obj) != IS_STRING && Z_TYPE_P(obj) != IS_OBJECT)) { + if (!obj || (Z_ISREF_P(obj)? + (Z_TYPE_P(Z_REFVAL_P(obj)) != IS_STRING && Z_TYPE_P(Z_REFVAL_P(obj)) != IS_OBJECT) : + (Z_TYPE_P(obj) != IS_STRING && Z_TYPE_P(obj) != IS_OBJECT))) { if (error) zend_spprintf(error, 0, "first array member is not a valid class name or object"); } else { if (error) zend_spprintf(error, 0, "second array member is not a valid method"); -- 2.50.1