From 3d8dc4d3b1457780f01f6f8feaf2d8064e2eda4d Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Tue, 4 Oct 2005 11:18:02 +0000
Subject: fix #32179 (xmlrpc_encode() segfaults with recursive references)

---
 ext/xmlrpc/xmlrpc-epi-php.c | 43 ++++++++++++++++++++++++++++---------------
 1 file changed, 28 insertions(+), 15 deletions(-)

(limited to 'ext/xmlrpc/xmlrpc-epi-php.c')

diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index dd3d9bef1c..39cb06e060 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -520,28 +520,41 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
                   unsigned long num_index;
                   zval** pIter;
                   char* my_key;
+                  HashTable *ht = NULL;
 
+                  ht = HASH_OF(val);
+                  if (ht && ht->nApplyCount > 1) {
+                      php_error_docref(NULL TSRMLS_CC, E_ERROR, "XML-RPC doesn't support circular references");
+                      return NULL;
+                  }
+                  
                   convert_to_array(val);
-
                   xReturn = XMLRPC_CreateVector(key, determine_vector_type(Z_ARRVAL_P(val)));
 
                   zend_hash_internal_pointer_reset(Z_ARRVAL_P(val));
-                  while(1) {
+                  while(zend_hash_get_current_data(Z_ARRVAL_P(val), (void**)&pIter) == SUCCESS) {
                      int res = my_zend_hash_get_current_key(Z_ARRVAL_P(val), &my_key, &num_index);
-                     if(res == HASH_KEY_IS_LONG) {
-                        if(zend_hash_get_current_data(Z_ARRVAL_P(val), (void**)&pIter) == SUCCESS) {
-                           XMLRPC_AddValueToVector(xReturn, PHP_to_XMLRPC_worker(0, *pIter, depth++));
-                        }
-                     }
-                     else if(res == HASH_KEY_NON_EXISTANT) {
-                        break;
+                    
+                     switch (res) {
+                         case HASH_KEY_NON_EXISTANT:
+                             break;
+                         case HASH_KEY_IS_STRING:
+                         case HASH_KEY_IS_LONG:
+                              ht = HASH_OF(*pIter);
+                             if (ht) {
+                                 ht->nApplyCount++;
+                             }
+                             if (res == HASH_KEY_IS_LONG) {
+                                 XMLRPC_AddValueToVector(xReturn, PHP_to_XMLRPC_worker(0, *pIter, depth++));
+                             }
+                             else {
+                                 XMLRPC_AddValueToVector(xReturn, PHP_to_XMLRPC_worker(my_key, *pIter, depth++));
+                             }
+                             if (ht) {
+                                 ht->nApplyCount--;
+                             }
+                             break;
                      }
-                     else if(res == HASH_KEY_IS_STRING) {
-                        if(zend_hash_get_current_data(Z_ARRVAL_P(val), (void**)&pIter) == SUCCESS) {
-                           XMLRPC_AddValueToVector(xReturn, PHP_to_XMLRPC_worker(my_key, *pIter, depth++));
-                        }
-                     }
-
                      zend_hash_move_forward(Z_ARRVAL_P(val));
                   }
                }
-- 
cgit v1.2.1