summaryrefslogtreecommitdiff
path: root/ext
diff options
context:
space:
mode:
authorXinchen Hui <laruence@gmail.com>2016-05-05 15:18:24 +0800
committerXinchen Hui <laruence@gmail.com>2016-05-05 15:18:24 +0800
commit5eecd61b89f3c573e29317b1939b98dfc80ec574 (patch)
treed64b54e0940d9546c49f0d887546ace33ce36937 /ext
parent768bdc132a730b74e217cd8d45ba0d879efb02e1 (diff)
parentc15b6134f612948af39c9889b599a8c57e6bdad6 (diff)
downloadphp-git-5eecd61b89f3c573e29317b1939b98dfc80ec574.tar.gz
Merge branch 'PHP-7.0'
* PHP-7.0: Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
Diffstat (limited to 'ext')
-rw-r--r--ext/pcntl/pcntl.c21
-rw-r--r--ext/pcntl/tests/bug72154.phpt21
2 files changed, 32 insertions, 10 deletions
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
index 230cdf443c..ef3c7fbe3d 100644
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -624,12 +624,11 @@ PHP_FUNCTION(pcntl_waitpid)
struct rusage rusage;
#endif
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE)
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE) {
return;
+ }
- convert_to_long_ex(z_status);
-
- status = Z_LVAL_P(z_status);
+ status = zval_get_long(z_status);
#ifdef HAVE_WAIT4
if (z_rusage) {
@@ -659,7 +658,8 @@ PHP_FUNCTION(pcntl_waitpid)
}
#endif
- Z_LVAL_P(z_status) = status;
+ zval_dtor(z_status);
+ ZVAL_LONG(z_status, status);
RETURN_LONG((zend_long) child_id);
}
@@ -677,12 +677,11 @@ PHP_FUNCTION(pcntl_wait)
struct rusage rusage;
#endif
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE)
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE) {
return;
+ }
- convert_to_long_ex(z_status);
-
- status = Z_LVAL_P(z_status);
+ status = zval_get_long(z_status);
#ifdef HAVE_WAIT3
if (z_rusage) {
if (Z_TYPE_P(z_rusage) != IS_ARRAY) {
@@ -711,7 +710,9 @@ PHP_FUNCTION(pcntl_wait)
PHP_RUSAGE_TO_ARRAY(rusage, z_rusage);
}
#endif
- Z_LVAL_P(z_status) = status;
+
+ zval_dtor(z_status);
+ ZVAL_LONG(z_status, status);
RETURN_LONG((zend_long) child_id);
}
diff --git a/ext/pcntl/tests/bug72154.phpt b/ext/pcntl/tests/bug72154.phpt
new file mode 100644
index 0000000000..6bbbd4c5f0
--- /dev/null
+++ b/ext/pcntl/tests/bug72154.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
+--SKIPIF--
+<?php if (!extension_loaded("pcntl")) print "skip"; ?>
+--FILE--
+<?php
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_wait($b,0,$c);
+unset($b);
+
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_waitpid(0,$b,0,$c);
+unset($b);
+?>
+--EXPECT--
+int(666)
+int(666)