From 519f9bc67520f2dfd43e4d829143721d1334ff59 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Fri, 20 Nov 2015 06:37:38 -0800 Subject: [PATCH] Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED) --- NEWS | 1 + Zend/zend_ini_parser.y | 7 ++++++- ext/standard/tests/general_functions/bug70947.phpt | 12 ++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/general_functions/bug70947.phpt diff --git a/NEWS b/NEWS index 69be876783..433625785e 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,7 @@ PHP NEWS ?? ??? 2015, PHP 7.0.1 - Core: + . Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED). (Laruence) . Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions). (Laruence) . Fixed bug #70914 (zend_throw_or_error() format string vulnerability). diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y index e3042b80c1..d6f33159d8 100644 --- a/Zend/zend_ini_parser.y +++ b/Zend/zend_ini_parser.y @@ -109,8 +109,13 @@ static void zend_ini_add_string(zval *result, zval *op1, zval *op2) ZVAL_PSTRINGL(op1, str->val, str->len); zend_string_release(str); } - op1_len = (int)Z_STRLEN_P(op1); + + if (Z_TYPE_P(op2) != IS_STRING) { + zend_string *str = zval_get_string(op2); + ZVAL_PSTRINGL(op2, str->val, str->len); + zend_string_release(str); + } length = op1_len + (int)Z_STRLEN_P(op2); ZVAL_NEW_STR(result, zend_string_extend(Z_STR_P(op1), length, 1)); diff --git a/ext/standard/tests/general_functions/bug70947.phpt b/ext/standard/tests/general_functions/bug70947.phpt new file mode 100644 index 0000000000..d07e5a331f --- /dev/null +++ b/ext/standard/tests/general_functions/bug70947.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #70947 (INI parser segfault with INI_SCANNER_TYPED) +--FILE-- + +--EXPECT-- +array(1) { + ["foo"]=> + string(7) "bar 123" +} -- 2.50.1