MFH: fix bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too much memory)

2024-11-24 10:24:11 +08:00 · 2006-07-26 08:03:48 +00:00 · 2006-07-26 08:03:48 +00:00 · 65626296da
commit 65626296da
parent 7987bba743
3 changed files with 59 additions and 9 deletions
--- a/2
+++ b/2
@ -9,6 +9,8 @@ PHP                                                                        NEWS
  . ext/filepro (Derick, Tony)
  . ext/hwapi (Derick, Tony)

+- Fixed bug #38217 (ReflectionClass::newInstanceArgs() tries to allocate too 
+  much memory). (Tony)
 - Fixed bug #38194 (ReflectionClass::isSubclassOf() returns TRUE for the class
  itself). (Ilia)
 - Fixed bug #38132 (ReflectionClass::getStaticProperties() retains \0 in key
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@ -3394,7 +3394,7 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 	zval *retval_ptr;
 	reflection_object *intern;
 	zend_class_entry *ce;
-	int argc;
+	int argc = 0;
 	HashTable *args;
 	
 	
@ -3404,11 +3404,13 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|h", &args) == FAILURE) {
 		return;
 	}
-	argc = args->nNumOfElements;
+	if (ZEND_NUM_ARGS() > 0) {
+		argc = args->nNumOfElements;
+	}
 	
 	/* Run the constructor if there is one */
 	if (ce->constructor) {
-		zval ***params;
+		zval ***params = NULL;
 		zend_fcall_info fci;
 		zend_fcall_info_cache fcc;

@ -3416,10 +3418,12 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 			zend_throw_exception_ex(reflection_exception_ptr, 0 TSRMLS_CC, "Access to non-public constructor of class %s", ce->name);
 			return;
 		}
-
-		params = safe_emalloc(sizeof(zval **), argc, 0);
-		zend_hash_apply_with_argument(args, (apply_func_arg_t)_zval_array_to_c_array, &params TSRMLS_CC);	
-		params -= argc;
+		
+		if (argc) {
+			params = safe_emalloc(sizeof(zval **), argc, 0);
+			zend_hash_apply_with_argument(args, (apply_func_arg_t)_zval_array_to_c_array, &params TSRMLS_CC);	
+			params -= argc;
+		}

 		object_init_ex(return_value, ce);

@ -3439,7 +3443,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 		fcc.object_pp = &return_value;

 		if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
-			efree(params);
+			if (params) {
+				efree(params);
+			}
 			zval_ptr_dtor(&retval_ptr);
 			zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
 			RETURN_NULL();
@ -3447,7 +3453,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 		if (retval_ptr) {
 			zval_ptr_dtor(&retval_ptr);
 		}
-		efree(params);
+		if (params) {
+			efree(params);
+		}
 	} else if (!ZEND_NUM_ARGS()) {
 		object_init_ex(return_value, ce);
 	} else {
--- a/ext/reflection/tests/bug38217.phpt
+++ b/ext/reflection/tests/bug38217.phpt
@ -0,0 +1,40 @@
+--TEST--
+#38217 (ReflectionClass::newInstanceArgs() tries to allocate too much memory)
+--FILE--
+<?php
+
+class Object {
+	public function __construct() {
+	}
+}
+
+$class= new ReflectionClass('Object');
+var_dump($class->newInstanceArgs());
+
+class Object1 {
+	public function __construct($var) {
+		var_dump($var);
+	}
+}
+
+$class= new ReflectionClass('Object1');
+var_dump($class->newInstanceArgs());
+var_dump($class->newInstanceArgs(array('test')));
+
+
+echo "Done\n";
+?>
+--EXPECTF--	
+object(Object)#%d (0) {
+}
+
+Warning: Missing argument 1 for Object1::__construct() in %s on line %d
+
+Notice: Undefined variable: var in %s on line %d
+NULL
+object(Object1)#%d (0) {
+}
+string(4) "test"
+object(Object1)#%d (0) {
+}
+Done