MFB: Fixed 2 memory corruptions in zip extension idenfied by

oo_properties.phpt test

1 files changed, 6 insertions, 3 deletions

diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index 5dfa542754..632d0afe9a 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -806,6 +806,7 @@ static int php_zip_property_reader(ze_zip_object *obj, zip_prop_handler *hnd, zv
 			} else {
 				if (hnd->read_const_char_from_obj_func) {
 					retchar = hnd->read_const_char_from_obj_func(obj TSRMLS_CC);
+					len = strlen(retchar);
 				}
 			}
 		}
@@ -818,7 +819,7 @@ static int php_zip_property_reader(ze_zip_object *obj, zip_prop_handler *hnd, zv
 	switch (hnd->type) {
 		case IS_STRING:
 			if (retchar) {
-				ZVAL_STRING(*retval, (char *) retchar, 1);
+				ZVAL_STRINGL(*retval, (char *) retchar, len, 1);
 			} else {
 				ZVAL_EMPTY_STRING(*retval);
 			}
@@ -941,10 +942,11 @@ static int php_zip_has_property(zval *object, zval *member, int type TSRMLS_DC)
 
 	if (ret == SUCCESS) {
 		zval *tmp;
+		ALLOC_INIT_ZVAL(tmp);
 
 		if (type == 2) {
 			retval = 1;
-		} else if (php_zip_property_reader(obj, hnd, &tmp, 1 TSRMLS_CC) == SUCCESS) {
+		} else if (php_zip_property_reader(obj, hnd, &tmp, 0 TSRMLS_CC) == SUCCESS) {
 			Z_SET_REFCOUNT_P(tmp, 1);
 			Z_UNSET_ISREF_P(tmp);
 			if (type == 1) {
@@ -952,8 +954,9 @@ static int php_zip_has_property(zval *object, zval *member, int type TSRMLS_DC)
 			} else if (type == 0) {
 				retval = (Z_TYPE_P(tmp) != IS_NULL);
 			}
-			zval_ptr_dtor(&tmp);
 		}
+
+		zval_ptr_dtor(&tmp);
 	} else {
 		std_hnd = zend_get_std_object_handlers();
 		retval = std_hnd->has_property(object, member, type TSRMLS_CC);