From 79ed81e9717a07bd3a7264f8f76011bf6d33a74e Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 11 Feb 2004 17:09:09 +0000
Subject: [PATCH] Fixed bug #27183 (userland stream wrapper segfaults on
 stream_write).

---
 NEWS                                  |  2 ++
 ext/standard/tests/file/bug27183.phpt | 30 +++++++++++++++++++++++++++
 main/user_streams.c                   |  8 ++++---
 3 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/file/bug27183.phpt

diff --git a/NEWS b/NEWS
index 5a9214f605..d3cf70789d 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP 4                                                                      NEWS
 ?? Feb 2004, Version 4.3.5
 - Fixed bug #27196 (Missing content_length initialization in apache 2 sapis).
   (Ilia, pdoru at kappa dot ro)
+- Fixed bug #27183 (userland stream wrapper segfaults on stream_write).
+  (Moriyoshi)
 - Fixed bug #27175 (tzset() is not being called by PHP on startup).
   (Ilia, sagawa at sohgoh dot net)
 - Fixed bug #27172 (Possible floating point exception in gmp_powm()). (Ilia)
diff --git a/ext/standard/tests/file/bug27183.phpt b/ext/standard/tests/file/bug27183.phpt
new file mode 100644
index 0000000000..6edffcba7e
--- /dev/null
+++ b/ext/standard/tests/file/bug27183.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #27183 (userland stream wrapper segfaults on stream_write)
+--FILE--
+<?php
+stream_wrapper_register("one", "StreamOne");
+$fd = fopen("one://tmp/bla", "w");
+fwrite($fd, "hmm");
+fclose($fd);
+
+class StreamOne {
+	function stream_open ($path, $mode, $options, &$opened_path)
+	{
+        	$this->b = 'mmh';
+		return true;
+	}
+        function stream_write($data)
+        {
+        	$this->a = $data;
+	}
+	function stream_close()
+	{
+        	debug_zval_dump($this->a);
+                debug_zval_dump($this->b);
+		return true;
+	}
+}
+?>
+--EXPECT--
+string(3) "hmm" refcount(2)
+string(3) "mmh" refcount(2)
diff --git a/main/user_streams.c b/main/user_streams.c
index 1b3a813494..55130544c7 100644
--- a/main/user_streams.c
+++ b/main/user_streams.c
@@ -382,15 +382,15 @@ static size_t php_userstreamop_write(php_stream *stream, const char *buf, size_t
 	int call_result;
 	php_userstream_data_t *us = (php_userstream_data_t *)stream->abstract;
 	zval **args[1];
-	zval zbuff, *zbufptr;
+	zval *zbufptr;
 	size_t didwrite = 0;
 
 	assert(us != NULL);
 
 	ZVAL_STRINGL(&func_name, USERSTREAM_WRITE, sizeof(USERSTREAM_WRITE)-1, 0);
 
-	ZVAL_STRINGL(&zbuff, (char*)buf, count, 0);
-	zbufptr = &zbuff;
+	MAKE_STD_ZVAL(zbufptr);
+	ZVAL_STRINGL(zbufptr, (char*)buf, count, 1);
 	args[0] = &zbufptr;
 
 	call_result = call_user_function_ex(NULL,
@@ -400,6 +400,8 @@ static size_t php_userstreamop_write(php_stream *stream, const char *buf, size_t
 			1, args,
 			0, NULL TSRMLS_CC);
 
+	zval_ptr_dtor(&zbufptr);
+	
 	didwrite = 0;
 	if (call_result == SUCCESS && retval != NULL) {
 		convert_to_long(retval);
-- 
2.50.1