From bfe7a1168aeb0b648556dc1e2fc26196412381ab Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 22 Oct 2020 15:19:47 +0200 Subject: Properly validate ArrayObject::asort() argument --- ext/spl/spl_array.c | 23 +++++++++++------------ ext/spl/tests/arrayObject_asort_basic1.phpt | 2 +- ext/spl/tests/arrayObject_ksort_basic1.phpt | 2 +- 3 files changed, 13 insertions(+), 14 deletions(-) (limited to 'ext/spl') diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 75668e2f0f..3942366fa0 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -55,8 +55,8 @@ PHPAPI zend_class_entry *spl_ce_RecursiveArrayIterator; #define SPL_ARRAY_CLONE_MASK 0x0100FFFF #define SPL_ARRAY_METHOD_NO_ARG 0 -#define SPL_ARRAY_METHOD_USE_ARG 1 -#define SPL_ARRAY_METHOD_MAY_USER_ARG 2 +#define SPL_ARRAY_METHOD_CALLBACK_ARG 1 +#define SPL_ARRAY_METHOD_SORT_FLAGS_ARG 2 typedef struct _spl_array_object { zval array; @@ -1429,15 +1429,14 @@ static void spl_array_method(INTERNAL_FUNCTION_PARAMETERS, char *fname, int fnam intern->nApplyCount++; call_user_function(EG(function_table), NULL, &function_name, return_value, 1, params); intern->nApplyCount--; - } else if (use_arg == SPL_ARRAY_METHOD_MAY_USER_ARG) { - if (zend_parse_parameters(ZEND_NUM_ARGS(), "|z", &arg) == FAILURE) { + } else if (use_arg == SPL_ARRAY_METHOD_SORT_FLAGS_ARG) { + zend_long sort_flags = 0; + if (zend_parse_parameters(ZEND_NUM_ARGS(), "|l", &sort_flags) == FAILURE) { goto exit; } - if (arg) { - ZVAL_COPY_VALUE(¶ms[1], arg); - } + ZVAL_LONG(¶ms[1], sort_flags); intern->nApplyCount++; - call_user_function(EG(function_table), NULL, &function_name, return_value, arg ? 2 : 1, params); + call_user_function(EG(function_table), NULL, &function_name, return_value, 2, params); intern->nApplyCount--; } else { if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &arg) == FAILURE) { @@ -1468,16 +1467,16 @@ PHP_METHOD(cname, fname) \ } /* {{{ Sort the entries by values. */ -SPL_ARRAY_METHOD(ArrayObject, asort, SPL_ARRAY_METHOD_MAY_USER_ARG) /* }}} */ +SPL_ARRAY_METHOD(ArrayObject, asort, SPL_ARRAY_METHOD_SORT_FLAGS_ARG) /* }}} */ /* {{{ Sort the entries by key. */ -SPL_ARRAY_METHOD(ArrayObject, ksort, SPL_ARRAY_METHOD_MAY_USER_ARG) /* }}} */ +SPL_ARRAY_METHOD(ArrayObject, ksort, SPL_ARRAY_METHOD_SORT_FLAGS_ARG) /* }}} */ /* {{{ Sort the entries by values user defined function. */ -SPL_ARRAY_METHOD(ArrayObject, uasort, SPL_ARRAY_METHOD_USE_ARG) /* }}} */ +SPL_ARRAY_METHOD(ArrayObject, uasort, SPL_ARRAY_METHOD_CALLBACK_ARG) /* }}} */ /* {{{ Sort the entries by key using user defined function. */ -SPL_ARRAY_METHOD(ArrayObject, uksort, SPL_ARRAY_METHOD_USE_ARG) /* }}} */ +SPL_ARRAY_METHOD(ArrayObject, uksort, SPL_ARRAY_METHOD_CALLBACK_ARG) /* }}} */ /* {{{ Sort the entries by values using "natural order" algorithm. */ SPL_ARRAY_METHOD(ArrayObject, natsort, SPL_ARRAY_METHOD_NO_ARG) /* }}} */ diff --git a/ext/spl/tests/arrayObject_asort_basic1.phpt b/ext/spl/tests/arrayObject_asort_basic1.phpt index 555b215cce..efce55d4d5 100644 --- a/ext/spl/tests/arrayObject_asort_basic1.phpt +++ b/ext/spl/tests/arrayObject_asort_basic1.phpt @@ -36,7 +36,7 @@ object(ArrayObject)#%d (1) { int(4) } } -asort(): Argument #2 ($flags) must be of type int, string given +ArrayObject::asort(): Argument #1 ($flags) must be of type int, string given object(ArrayObject)#%d (1) { ["storage":"ArrayObject":private]=> array(3) { diff --git a/ext/spl/tests/arrayObject_ksort_basic1.phpt b/ext/spl/tests/arrayObject_ksort_basic1.phpt index d853e3c017..27605461cb 100644 --- a/ext/spl/tests/arrayObject_ksort_basic1.phpt +++ b/ext/spl/tests/arrayObject_ksort_basic1.phpt @@ -35,7 +35,7 @@ object(ArrayObject)#%d (1) { int(3) } } -ksort(): Argument #2 ($flags) must be of type int, string given +ArrayObject::ksort(): Argument #1 ($flags) must be of type int, string given object(ArrayObject)#2 (1) { ["storage":"ArrayObject":private]=> array(4) { -- cgit v1.2.1