From 5b18acdcc917e93ef9470119c034210ad0129de8 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 11 May 2010 10:41:19 +0000
Subject: [PATCH] Fixed a possible memory corruption because of unexpected
 call-time pass by refernce and following memory clobbering through callbacks.

---
 NEWS            | 3 +++
 Zend/zend_API.c | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index 052dd8f06f..689977e133 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,9 @@ PHP                                                                        NEWS
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)
 
+- Fixed a possible memory corruption because of unexpected call-time pass by
+  refernce and following memory clobbering through callbacks.
+  Reported by Stefan Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan    
   Esser (Dmitry)
 - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan    
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 0b9823a989..49464705da 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -412,6 +412,12 @@ static char *zend_parse_arg_impl(int arg_num, zval **arg, va_list *va, char **sp
 					case IS_DOUBLE:
 					case IS_BOOL:
 						convert_to_string_ex(arg);
+						if (UNEXPECTED(Z_ISREF_PP(arg) != 0)) {
+							/* it's dangerous to return pointers to string
+							   buffer of referenced variable, because it can
+							   be clobbered throug magic callbacks */
+							SEPARATE_ZVAL(arg);
+						}
 						*p = Z_STRVAL_PP(arg);
 						*pl = Z_STRLEN_PP(arg);
 						break;
-- 
2.40.0