diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2018-09-19 09:38:17 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2018-09-19 09:39:13 +0200 |
| commit | cc1fb02760e95965a6ea1f298d61f510a818caeb (patch) | |
| tree | bf9d8d565753978b20029bf0fa272fa256abb7b6 | |
| parent | 6bf681249f54ab3b67792d9c50f680ba9c6513a4 (diff) | |
| parent | 294fb83ee84b76479a62e4ed37d5523c1208ad7c (diff) | |
| download | php-git-cc1fb02760e95965a6ea1f298d61f510a818caeb.tar.gz | |
Merge branch 'PHP-7.1' into PHP-7.2
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug76901.phpt | 18 | ||||
| -rw-r--r-- | Zend/zend_builtin_functions.c | 11 |
3 files changed, 24 insertions, 7 deletions
@@ -5,6 +5,8 @@ PHP NEWS - Core: . Fixed bug #76800 (foreach inconsistent if array modified during loop). (Dmitry) + . Fixed bug #76901 (method_exists on SPL iterator passthrough method corrupts + memory). (Nikita) - CURL: . Fixed bug #76480 (Use curl_multi_wait() so that timeouts are respected). diff --git a/Zend/tests/bug76901.phpt b/Zend/tests/bug76901.phpt new file mode 100644 index 0000000000..8d567d9e0c --- /dev/null +++ b/Zend/tests/bug76901.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #76901: method_exists on SPL iterator passthrough method corrupts memory +--FILE-- +<?php + +$it = new ArrayIterator([1, 2, 3]); +$it = new IteratorIterator($it); +foreach ($it as $v) { + if (method_exists($it, 'offsetGet')) { + var_dump($it->offsetGet(0)); + } +} + +?> +--EXPECT-- +int(1) +int(1) +int(1) diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c index 81c78f2a97..8cd0207e46 100644 --- a/Zend/zend_builtin_functions.c +++ b/Zend/zend_builtin_functions.c @@ -1294,13 +1294,10 @@ ZEND_FUNCTION(method_exists) if (zend_hash_exists(&ce->function_table, lcname)) { zend_string_release(lcname); RETURN_TRUE; - } else { - union _zend_function *func = NULL; - - if (Z_TYPE_P(klass) == IS_OBJECT - && Z_OBJ_HT_P(klass)->get_method != NULL - && (func = Z_OBJ_HT_P(klass)->get_method(&Z_OBJ_P(klass), method_name, NULL)) != NULL - ) { + } else if (Z_TYPE_P(klass) == IS_OBJECT && Z_OBJ_HT_P(klass)->get_method != NULL) { + zend_object *obj = Z_OBJ_P(klass); + zend_function *func = Z_OBJ_HT_P(klass)->get_method(&obj, method_name, NULL); + if (func != NULL) { if (func->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) { /* Returns true to the fake Closure's __invoke */ RETVAL_BOOL(func->common.scope == zend_ce_closure |