From da786a22af1632272d08a98352da9bbaecbe438a Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 5 Aug 2020 15:41:42 +0200 Subject: Fixed bug #79930 We're inserting src_zval, so that's what we should addref. --- NEWS | 4 ++++ ext/standard/array.c | 2 +- ext/standard/tests/array/bug79930.phpt | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/array/bug79930.phpt diff --git a/NEWS b/NEWS index cdeb8506ba..172a781622 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,10 @@ PHP NEWS . Fixed bug #73060 (php failed with error after temp folder cleaned up). (cmb) +- Standard: + . Fixed bug #79930 (array_merge_recursive() crashes when called with array + with single reference). (Nikita) + 06 Aug 2020, PHP 7.3.21 - Apache: diff --git a/ext/standard/array.c b/ext/standard/array.c index 300f714932..09c3a9f256 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -3615,7 +3615,7 @@ PHPAPI int php_array_merge_recursive(HashTable *dest, HashTable *src) /* {{{ */ return 0; } } else { - Z_TRY_ADDREF_P(src_entry); + Z_TRY_ADDREF_P(src_zval); zend_hash_next_index_insert(Z_ARRVAL_P(dest_zval), src_zval); } zval_ptr_dtor(&tmp); diff --git a/ext/standard/tests/array/bug79930.phpt b/ext/standard/tests/array/bug79930.phpt new file mode 100644 index 0000000000..bb4e1dd86d --- /dev/null +++ b/ext/standard/tests/array/bug79930.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #79930: array_merge_recursive() crashes when called with array with single reference +--FILE-- + $a . 'b', +]; + +// Create rc=1 reference. +array_walk($array, function () {}); + +$m = array_merge_recursive(['value' => 'a'], $array); + +var_dump($a, $array, $m); + +?> +--EXPECT-- +string(1) "a" +array(1) { + ["value"]=> + string(2) "ab" +} +array(1) { + ["value"]=> + array(2) { + [0]=> + string(1) "a" + [1]=> + string(2) "ab" + } +} -- cgit v1.2.1