dmitry Fri, 14 Aug 2009 06:21:49 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=287276
Log:
Fixed crash in usort() and uasort() in case user comparison function modifyes th
e array.
Changed paths:
U php/php-src/trunk/ext/standard/array.c
Modified: php/php-src/trunk/ext/standard/array.c
===================================================================
--- php/php-src/trunk/ext/standard/array.c 2009-08-14 06:20:21 UTC (rev
287275)
+++ php/php-src/trunk/ext/standard/array.c 2009-08-14 06:21:49 UTC (rev
287276)
@@ -640,6 +640,7 @@
PHP_FUNCTION(usort)
{
zval *array;
+ int refcount;
PHP_ARRAY_CMP_FUNC_VARS;
PHP_ARRAY_CMP_FUNC_BACKUP();
@@ -649,12 +650,31 @@
return;
}
+ /* Clear the is_ref flag, so the attemts to modify the array in user
+ * comaprison function will create a copy of array and won't affect the
+ * original array. The fact of modification is detected using refcount
+ * comparison. The result of sorting in such case is undefined and the
+ * function returns FALSE.
+ */
+ Z_UNSET_ISREF_P(array);
+ refcount = Z_REFCOUNT_P(array);
+
if (zend_hash_sort(Z_ARRVAL_P(array), zend_qsort,
php_array_user_compare, 1 TSRMLS_CC) == FAILURE) {
- PHP_ARRAY_CMP_FUNC_RESTORE();
- RETURN_FALSE;
+ RETVAL_FALSE;
+ } else {
+ if (refcount > Z_REFCOUNT_P(array)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was
modified by the user comparison function");
+ RETVAL_FALSE;
+ } else {
+ RETVAL_TRUE;
+ }
}
+
+ if (Z_REFCOUNT_P(array) > 1) {
+ Z_SET_ISREF_P(array);
+ }
+
PHP_ARRAY_CMP_FUNC_RESTORE();
- RETURN_TRUE;
}
/* }}} */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
