[PHP-CVS] com php-src: Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables): NEWS ext/spl/spl_array.c ext/spl/tests/bug62978.phpt
Commit:67d7d03f00cb3185a4d5958ab7a4b063fc33405c
Author:Xinchen Hui Sat, 1 Sep 2012 14:17:39 +0800
Parents: 5dc2cef370885c552c20f3ff44bccd402850de9e
Branches: PHP-5.3
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=67d7d03f00cb3185a4d5958ab7a4b063fc33405c
Log:
Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all
undefined variables)
The get_zval_ptr_ptr of spl_array handler should act as same as the vm's
Bugs:
https://bugs.php.net/62987
Changed paths:
M NEWS
M ext/spl/spl_array.c
A ext/spl/tests/bug62978.phpt
Diff:
diff --git a/NEWS b/NEWS
index a6e05be..ae82821 100644
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,8 @@ PHP
NEWS
. Fixed bug (segfault due to retval is not initialized). (Laruence)
- SPL:
+ . Bug #62987 (Assigning to ArrayObject[null][something] overrides all
+undefined variables). (Laruence)
. Fixed bug #62904 (Crash when cloning an object which inherits
SplFixedArray)
(Laruence)
. Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 80ca5be..11540de 100755
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -312,38 +312,41 @@ static zval **spl_array_get_dimension_ptr_ptr(int
check_inherited, zval *object,
long index;
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
-/* We cannot get the pointer pointer so we don't allow it here for now
- if (check_inherited && intern->fptr_offset_get) {
- return zend_call_method_with_1_params(&object,
Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", NULL, offset);
- }*/
-
if (!offset) {
return &EG(uninitialized_zval_ptr);
}
if ((type == BP_VAR_W || type == BP_VAR_RW) && (ht->nApplyCount > 0)) {
zend_error(E_WARNING, "Modification of ArrayObject during
sorting is prohibited");
- return &EG(uninitialized_zval_ptr);;
+ return &EG(error_zval_ptr);;
}
switch(Z_TYPE_P(offset)) {
+ case IS_NULL:
+ Z_STRVAL_P(offset) = "";
+ Z_STRLEN_P(offset) = 0;
case IS_STRING:
if (zend_symtable_find(ht, Z_STRVAL_P(offset),
Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
- if (type == BP_VAR_W || type == BP_VAR_RW) {
- zval *value;
- ALLOC_INIT_ZVAL(value);
- zend_symtable_update(ht, Z_STRVAL_P(offset),
Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
- zend_symtable_find(ht, Z_STRVAL_P(offset),
Z_STRLEN_P(offset)+1, (void **) &retval);
- return retval;
- } else {
- zend_error(E_NOTICE, "Undefined index: %s",
Z_STRVAL_P(offset));
- return &EG(uninitialized_zval_ptr);
+ switch (type) {
+ case BP_VAR_R:
+ zend_error(E_NOTICE, "Undefined index:
%s", Z_STRVAL_P(offset));
+ case BP_VAR_UNSET:
+ case BP_VAR_IS:
+ retval = &EG(uninitialized_zval_ptr);
+ break;
+ case BP_VAR_RW:
+ zend_error(E_NOTICE,"Undefined index:
%s", Z_STRVAL_P(offset));
+ case BP_VAR_W: {
+ zval *value;
+ ALLOC_INIT_ZVAL(value);
+ zend_symtable_update(ht,
Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), (void
**)&retval);
+ }
}
- } else {
- return retval;
}
- case IS_DOUBLE:
+ return retval;
case IS_RESOURCE:
+ zend_error(E_STRICT, "Resource ID#%ld used as offset, casting
to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset));
+ case IS_DOUBLE:
case IS_BOOL:
case IS_LONG:
if (offset->type == IS_DOUBLE) {
@@ -352,23 +355,27 @@ static zval **spl_array_get_dimension_ptr_ptr(int
check_inherited, zval *object,
index = Z_LVAL_P(offset);
}
if (zend_hash_index_find(ht, index, (void **) &retval) ==
FAILURE) {
- if (type == BP_VAR_W || type == BP_VAR_RW) {
- zval *value;
- ALLOC_INIT_ZVAL(value);
- zend_hash_index_update(ht, index,
(void**)&value, sizeof(void*), NULL);
-
Re: [PHP-CVS] com php-src: Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables): NEWS ext/spl/spl_array.c ext/spl/tests/bug62978.phpt
Hi Rms:
this bug is a critical one. please notice this fix. :)
thanks
On Sat, Sep 1, 2012 at 2:21 PM, Xinchen Hui wrote:
> Commit:67d7d03f00cb3185a4d5958ab7a4b063fc33405c
> Author:Xinchen Hui Sat, 1 Sep 2012 14:17:39
> +0800
> Parents: 5dc2cef370885c552c20f3ff44bccd402850de9e
> Branches: PHP-5.3
>
> Link:
> http://git.php.net/?p=php-src.git;a=commitdiff;h=67d7d03f00cb3185a4d5958ab7a4b063fc33405c
>
> Log:
> Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all
> undefined variables)
>
> The get_zval_ptr_ptr of spl_array handler should act as same as the vm's
>
> Bugs:
> https://bugs.php.net/62987
>
> Changed paths:
> M NEWS
> M ext/spl/spl_array.c
> A ext/spl/tests/bug62978.phpt
>
>
> Diff:
> diff --git a/NEWS b/NEWS
> index a6e05be..ae82821 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -45,6 +45,8 @@ PHP
>NEWS
>. Fixed bug (segfault due to retval is not initialized). (Laruence)
>
> - SPL:
> + . Bug #62987 (Assigning to ArrayObject[null][something] overrides all
> +undefined variables). (Laruence)
>. Fixed bug #62904 (Crash when cloning an object which inherits
> SplFixedArray)
> (Laruence)
>. Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
> diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
> index 80ca5be..11540de 100755
> --- a/ext/spl/spl_array.c
> +++ b/ext/spl/spl_array.c
> @@ -312,38 +312,41 @@ static zval **spl_array_get_dimension_ptr_ptr(int
> check_inherited, zval *object,
> long index;
> HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
>
> -/* We cannot get the pointer pointer so we don't allow it here for now
> - if (check_inherited && intern->fptr_offset_get) {
> - return zend_call_method_with_1_params(&object,
> Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", NULL, offset);
> - }*/
> -
> if (!offset) {
> return &EG(uninitialized_zval_ptr);
> }
>
> if ((type == BP_VAR_W || type == BP_VAR_RW) && (ht->nApplyCount > 0))
> {
> zend_error(E_WARNING, "Modification of ArrayObject during
> sorting is prohibited");
> - return &EG(uninitialized_zval_ptr);;
> + return &EG(error_zval_ptr);;
> }
>
> switch(Z_TYPE_P(offset)) {
> + case IS_NULL:
> + Z_STRVAL_P(offset) = "";
> + Z_STRLEN_P(offset) = 0;
> case IS_STRING:
> if (zend_symtable_find(ht, Z_STRVAL_P(offset),
> Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
> - if (type == BP_VAR_W || type == BP_VAR_RW) {
> - zval *value;
> - ALLOC_INIT_ZVAL(value);
> - zend_symtable_update(ht, Z_STRVAL_P(offset),
> Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
> - zend_symtable_find(ht, Z_STRVAL_P(offset),
> Z_STRLEN_P(offset)+1, (void **) &retval);
> - return retval;
> - } else {
> - zend_error(E_NOTICE, "Undefined index: %s",
> Z_STRVAL_P(offset));
> - return &EG(uninitialized_zval_ptr);
> + switch (type) {
> + case BP_VAR_R:
> + zend_error(E_NOTICE, "Undefined
> index: %s", Z_STRVAL_P(offset));
> + case BP_VAR_UNSET:
> + case BP_VAR_IS:
> + retval = &EG(uninitialized_zval_ptr);
> + break;
> + case BP_VAR_RW:
> + zend_error(E_NOTICE,"Undefined index:
> %s", Z_STRVAL_P(offset));
> + case BP_VAR_W: {
> + zval *value;
> + ALLOC_INIT_ZVAL(value);
> + zend_symtable_update(ht,
> Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*),
> (void **)&retval);
> + }
> }
> - } else {
> - return retval;
> }
> - case IS_DOUBLE:
> + return retval;
> case IS_RESOURCE:
> + zend_error(E_STRICT, "Resource ID#%ld used as offset, casting
> to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset));
> + case IS_DOUBLE:
> case IS_BOOL:
> case IS_LONG:
> if (offset->type == IS_DOUBLE) {
> @@ -352,23 +355,27 @@ static zval **spl_array_get_dimension_ptr_ptr(int
> check_inherited, zval *object,
> index = Z_LVAL_P(offset);
> }
> if (zen
