diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2020-08-05 15:41:42 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-08-05 15:43:41 +0200 |
| commit | da786a22af1632272d08a98352da9bbaecbe438a (patch) | |
| tree | bc558bef4996a13e3ba19b50188792daad6c93d8 | |
| parent | 12db8b90a74627bca7923343f6758d0b2ce61eac (diff) | |
| download | php-git-da786a22af1632272d08a98352da9bbaecbe438a.tar.gz | |
Fixed bug #79930
We're inserting src_zval, so that's what we should addref.
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/standard/array.c | 2 | ||||
| -rw-r--r-- | ext/standard/tests/array/bug79930.phpt | 33 |
3 files changed, 38 insertions, 1 deletions
@@ -17,6 +17,10 @@ PHP NEWS . Fixed bug #73060 (php failed with error after temp folder cleaned up). (cmb) +- Standard: + . Fixed bug #79930 (array_merge_recursive() crashes when called with array + with single reference). (Nikita) + 06 Aug 2020, PHP 7.3.21 - Apache: diff --git a/ext/standard/array.c b/ext/standard/array.c index 300f714932..09c3a9f256 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -3615,7 +3615,7 @@ PHPAPI int php_array_merge_recursive(HashTable *dest, HashTable *src) /* {{{ */ return 0; } } else { - Z_TRY_ADDREF_P(src_entry); + Z_TRY_ADDREF_P(src_zval); zend_hash_next_index_insert(Z_ARRVAL_P(dest_zval), src_zval); } zval_ptr_dtor(&tmp); diff --git a/ext/standard/tests/array/bug79930.phpt b/ext/standard/tests/array/bug79930.phpt new file mode 100644 index 0000000000..bb4e1dd86d --- /dev/null +++ b/ext/standard/tests/array/bug79930.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #79930: array_merge_recursive() crashes when called with array with single reference +--FILE-- +<?php + +$a = 'a'; +$array = [ + 'value' => $a . 'b', +]; + +// Create rc=1 reference. +array_walk($array, function () {}); + +$m = array_merge_recursive(['value' => 'a'], $array); + +var_dump($a, $array, $m); + +?> +--EXPECT-- +string(1) "a" +array(1) { + ["value"]=> + string(2) "ab" +} +array(1) { + ["value"]=> + array(2) { + [0]=> + string(1) "a" + [1]=> + string(2) "ab" + } +} |