- Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE.

  patch by: jorto at redhat dot com

2 files changed, 26 insertions, 2 deletions

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 06d296e9e9..03ecd5c3ca 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1389,10 +1389,10 @@ PHP_FUNCTION(extract)
 
 			case EXTR_OVERWRITE:
 				/* GLOBALS protection */
-				if (var_exists && var_name_len == sizeof("GLOBALS") && !strcmp(var_name, "GLOBALS")) {
+				if (var_exists && var_name_len == sizeof("GLOBALS")-1 && !strcmp(var_name, "GLOBALS")) {
 					break;
 				}
-				if (var_exists && var_name_len == sizeof("this")  && !strcmp(var_name, "this") && EG(scope) && EG(scope)->name_length != 0) {
+				if (var_exists && var_name_len == sizeof("this")-1  && !strcmp(var_name, "this") && EG(scope) && EG(scope)->name_length != 0) {
 					break;
 				}
 				ZVAL_STRINGL(&final_name, var_name, var_name_len, 1);
diff --git a/ext/standard/tests/array/extract_safety.phpt b/ext/standard/tests/array/extract_safety.phpt
new file mode 100644
index 0000000000..d5d0763be0
--- /dev/null
+++ b/ext/standard/tests/array/extract_safety.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Test extract() for overwrite of GLOBALS
+--FILE--
+<?php
+$str = "John";
+debug_zval_dump($GLOBALS["str"]);
+
+/* Extracting Global Variables */
+$splat = array("foo" => "bar");
+var_dump(extract(array("GLOBALS" => $splat, EXTR_OVERWRITE)));
+
+unset ($splat);
+
+debug_zval_dump($GLOBALS["str"]);
+
+echo "\nDone";
+?>
+
+--EXPECTF--
+string(4) "John" refcount(2)
+int(0)
+string(4) "John" refcount(2)
+
+Done
\ No newline at end of file