diff options
| author | Dmitry Stogov <dmitry@php.net> | 2009-04-06 11:10:32 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2009-04-06 11:10:32 +0000 |
| commit | 82b86c1c38887d3a20da5b9b4966bf144f410866 (patch) | |
| tree | ae2a0f369bd146cbe5f15416c7fb3a0d1d053aca | |
| parent | 63169ea0b206ef892ab2e1acac8b162993fa06e1 (diff) | |
| download | php-git-82b86c1c38887d3a20da5b9b4966bf144f410866.tar.gz | |
Bug #47880 (crashes in call_user_func_array())
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/tests/bug47880.phpt | 15 | ||||
| -rw-r--r-- | Zend/zend_API.c | 6 |
3 files changed, 16 insertions, 6 deletions
@@ -4,6 +4,7 @@ PHP NEWS - Undeprecated ticks. (Arnaud) - Upgraded bundled sqlite to version 3.6.12. (Scott) +- Fixed bug #47880 (crashes in call_user_func_array()). (Dmitry) - Fixed bug #47856 (stristr() converts needle to lower-case). (Ilia) - Fixed bug #47851 (is_callable throws fatal error). (Dmitry) - Fixed bug #47819 (Getting pdo_mysql.so: undefined symbol: mysqlnd_debug_init diff --git a/Zend/tests/bug47880.phpt b/Zend/tests/bug47880.phpt new file mode 100644 index 0000000000..bf2022c809 --- /dev/null +++ b/Zend/tests/bug47880.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #47880 (crashes in call_user_func_array()) +--FILE-- +<?php +class bomb { + static function go($n) { + $backtrace = debug_backtrace(false); + $backtrace[1]['args'][1] = 'bomb'; + } +} +call_user_func_array(array('bomb', 'go'), array(0)); +echo "ok\n"; +?> +--EXPECT-- +ok diff --git a/Zend/zend_API.c b/Zend/zend_API.c index b0c460606c..0e186691d7 100644 --- a/Zend/zend_API.c +++ b/Zend/zend_API.c @@ -2856,9 +2856,6 @@ ZEND_API int zend_fcall_info_init(zval *callable, uint check_flags, zend_fcall_i ZEND_API void zend_fcall_info_args_clear(zend_fcall_info *fci, int free_mem) /* {{{ */ { if (fci->params) { - while (fci->param_count) { - zval_ptr_dtor(fci->params[--fci->param_count]); - } if (free_mem) { efree(fci->params); fci->params = NULL; @@ -2906,7 +2903,6 @@ ZEND_API int zend_fcall_info_args(zend_fcall_info *fci, zval *args TSRMLS_DC) /* zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(args), &pos); while (zend_hash_get_current_data_ex(Z_ARRVAL_P(args), (void *) &arg, &pos) == SUCCESS) { *params++ = arg; - Z_ADDREF_P(*arg); zend_hash_move_forward_ex(Z_ARRVAL_P(args), &pos); } @@ -2929,7 +2925,6 @@ ZEND_API int zend_fcall_info_argp(zend_fcall_info *fci TSRMLS_DC, int argc, zval fci->params = (zval ***) erealloc(fci->params, fci->param_count * sizeof(zval **)); for (i = 0; i < argc; ++i) { - Z_ADDREF_P(*(argv[i])); fci->params[i] = argv[i]; } } @@ -2955,7 +2950,6 @@ ZEND_API int zend_fcall_info_argv(zend_fcall_info *fci TSRMLS_DC, int argc, va_l for (i = 0; i < argc; ++i) { arg = va_arg(*argv, zval **); - Z_ADDREF_P(*arg); fci->params[i] = arg; } } |