summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikita Popov <nikic@php.net>2016-02-24 17:39:16 +0100
committerNikita Popov <nikic@php.net>2016-02-24 17:39:16 +0100
commiteb885e9d6ebc6670d1ccc6d5c0fa26e411ffb0fb (patch)
tree4c6cdd5ea6423b5cbdec9d439197e21a2f9fa64e
parentea02f5765608c13cb92b5b7879878b981c99b33e (diff)
downloadphp-git-eb885e9d6ebc6670d1ccc6d5c0fa26e411ffb0fb.tar.gz
Fix leak on assignment to illegal AO offset
Diffstat
-rw-r--r--ext/spl/spl_array.c12
-rw-r--r--ext/spl/tests/ArrayObject_illegal_offset_leak.phpt11
2 files changed, 16 insertions, 7 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 9ddd38bccf..0740c063e9 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -439,19 +439,16 @@ static void spl_array_write_dimension_ex(int check_inherited, zval *object, zval
return;
}
+ if (Z_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
+ }
+
if (!offset) {
ht = spl_array_get_hash_table(intern);
- if (Z_REFCOUNTED_P(value)) {
- Z_ADDREF_P(value);
- }
zend_hash_next_index_insert(ht, value);
return;
}
- if (Z_REFCOUNTED_P(value)) {
- Z_ADDREF_P(value);
- }
-
try_again:
switch (Z_TYPE_P(offset)) {
case IS_STRING:
@@ -485,6 +482,7 @@ num_index:
goto try_again;
default:
zend_error(E_WARNING, "Illegal offset type");
+ zval_ptr_dtor(value);
return;
}
} /* }}} */
diff --git a/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt b/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt
new file mode 100644
index 0000000000..42c649db9f
--- /dev/null
+++ b/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Assignments to illegal ArrayObject offsets shouldn't leak
+--FILE--
+<?php
+
+$ao = new ArrayObject([1, 2, 3]);
+$ao[[]] = new stdClass;
+
+?>
+--EXPECTF--
+Warning: Illegal offset type in %s on line %d
View Lorry Controller Status