diff options
author | Stanislav Malyshev <stas@php.net> | 2009-11-29 08:35:01 +0000 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2009-11-29 08:35:01 +0000 |
commit | 8b64f74baadd3f187e6c0fa0b1c57423da545a61 (patch) | |
tree | 28a964ab56202ac3e145ceb31d308b608948a972 /ext/standard | |
parent | 937358ebc7a6e0eaaf2bc252015b3c1544eb48e6 (diff) | |
download | php-git-8b64f74baadd3f187e6c0fa0b1c57423da545a61.tar.gz |
proper fix for bug #50006
add modify protection to all user array sorts
Diffstat (limited to 'ext/standard')
-rw-r--r-- | ext/standard/array.c | 25 | ||||
-rw-r--r-- | ext/standard/tests/array/bug50006_1.phpt | 29 | ||||
-rw-r--r-- | ext/standard/tests/array/bug50006_2.phpt | 29 |
3 files changed, 80 insertions, 3 deletions
diff --git a/ext/standard/array.c b/ext/standard/array.c index ab02c6f430..d334785135 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -768,6 +768,7 @@ static int php_array_user_key_compare(const void *a, const void *b TSRMLS_DC) /* PHP_FUNCTION(uksort) { zval *array; + int refcount; PHP_ARRAY_CMP_FUNC_VARS; PHP_ARRAY_CMP_FUNC_BACKUP(); @@ -777,13 +778,31 @@ PHP_FUNCTION(uksort) return; } + /* Clear the is_ref flag, so the attemts to modify the array in user + * comaprison function will create a copy of array and won't affect the + * original array. The fact of modification is detected using refcount + * comparison. The result of sorting in such case is undefined and the + * function returns FALSE. + */ + Z_UNSET_ISREF_P(array); + refcount = Z_REFCOUNT_P(array); + if (zend_hash_sort(Z_ARRVAL_P(array), zend_qsort, php_array_user_key_compare, 0 TSRMLS_CC) == FAILURE) { - PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_FALSE; + RETVAL_FALSE; + } else { + if (refcount > Z_REFCOUNT_P(array)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was modified by the user comparison function"); + RETVAL_FALSE; + } else { + RETVAL_TRUE; + } + } + + if (Z_REFCOUNT_P(array) > 1) { + Z_SET_ISREF_P(array); } PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_TRUE; } /* }}} */ diff --git a/ext/standard/tests/array/bug50006_1.phpt b/ext/standard/tests/array/bug50006_1.phpt new file mode 100644 index 0000000000..fbb7ddd594 --- /dev/null +++ b/ext/standard/tests/array/bug50006_1.phpt @@ -0,0 +1,29 @@ +--TEST-- +Bug #50006 (Segfault caused by uksort()) - usort variant +--FILE-- +<?php + +$data = array( + 'bar-bazbazbaz.', + 'bar-bazbazbaz-', + 'foo' +); +usort($data, 'magic_sort_cmp'); +print_r($data); + +function magic_sort_cmp($a, $b) { + $a = substr($a, 1); + $b = substr($b, 1); + if (!$a) return $b ? -1 : 0; + if (!$b) return 1; + return magic_sort_cmp($a, $b); +} + +?> +--EXPECTF-- +Array +( + [0] => foo + [1] => bar-bazbazbaz- + [2] => bar-bazbazbaz. +) diff --git a/ext/standard/tests/array/bug50006_2.phpt b/ext/standard/tests/array/bug50006_2.phpt new file mode 100644 index 0000000000..19c0d14252 --- /dev/null +++ b/ext/standard/tests/array/bug50006_2.phpt @@ -0,0 +1,29 @@ +--TEST-- +Bug #50006 (Segfault caused by uksort()) - uasort variant +--FILE-- +<?php + +$data = array( + 'bar-bazbazbaz.', + 'bar-bazbazbaz-', + 'foo' +); +uasort($data, 'magic_sort_cmp'); +print_r($data); + +function magic_sort_cmp($a, $b) { + $a = substr($a, 1); + $b = substr($b, 1); + if (!$a) return $b ? -1 : 0; + if (!$b) return 1; + return magic_sort_cmp($a, $b); +} + +?> +--EXPECTF-- +Array +( + [2] => foo + [1] => bar-bazbazbaz- + [0] => bar-bazbazbaz. +) |