Fixed bug #34277 (array_filter() crashes with references and objects)

2024-11-24 10:24:11 +08:00 · 2005-09-01 12:00:37 +00:00 · 2005-09-01 12:00:37 +00:00 · e615889d6b
commit e615889d6b
parent 5253ea11de
3 changed files with 109 additions and 5 deletions
--- a/2
+++ b/2
@ -25,6 +25,8 @@ PHP                                                                        NEWS
 - Fixed bug #34299 (ReflectionClass::isInstantiable() returns true for abstract
  classes). (Marcus)
 - Fixed bug #34284 (CLI phpinfo showing html on _SERVER["argv"]). (Jani)
+- Fixed bug #34277 (array_filter() crashes with references and objects).
+  (Dmitry)
 - Fixed bug #34276 (setAttributeNS doesn't work with default namespace). (Rob)
 - Fixed bug #34257 (lib64 not handled correctly in ming extension). (Marcus)
 - Fixed bug #34221 (Compiling xmlrpc as shared fails other parts). (Jani)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@ -4117,6 +4117,7 @@ PHP_FUNCTION(array_reduce)
 PHP_FUNCTION(array_filter)
 {
 	zval **input, **callback = NULL;
+	zval *array;
 	zval **operand;
 	zval **args[1];
 	zval *retval = NULL;
@ -4136,6 +4137,7 @@ PHP_FUNCTION(array_filter)
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
 		return;
 	}
+	array = *input;

 	if (ZEND_NUM_ARGS() > 1) {
 		if (!zend_is_callable(*callback, 0, &callback_name)) {
@ -4147,13 +4149,13 @@ PHP_FUNCTION(array_filter)
 	}

 	array_init(return_value);
-	if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) {
+	if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) {
 		return;
 	}

-	for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
-		 zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
-		 zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
+	for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
+		 zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
+		 zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {

 		if (callback) {
 			zend_fcall_info fci;
@ -4186,7 +4188,7 @@ PHP_FUNCTION(array_filter)
 		}

 		zval_add_ref(operand);
-		switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
+		switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
 			case HASH_KEY_IS_STRING:
 				zend_hash_update(Z_ARRVAL_P(return_value), string_key, string_key_len, operand, sizeof(zval *), NULL);
 				break;
--- a/ext/standard/tests/array/bug34227.phpt
+++ b/ext/standard/tests/array/bug34227.phpt
@ -0,0 +1,100 @@
+--TEST--
+Bug #34277 (array_filter() crashes with references and objects)
+--FILE--
+<?php
+
+class C
+{
+  function m1()
+  {
+    $this->m2();
+  }
+
+  function m2()
+  {
+    $this->m3();
+  }
+
+  function m3()
+  {
+    $this->m4();
+  }
+
+  function m4()
+  {
+    $this->m5();
+  }
+
+  function m5()
+  {
+    $this->m6();
+  }
+
+  function m6()
+  {
+    $this->m7();
+  }
+
+  function m7()
+  {
+    $this->m8();
+  }
+
+  function m8()
+  {
+    $this->m9();
+  }
+
+  function m9()
+  {
+    $this->m10();
+  }
+
+  function m10()
+  {
+    $this->m11(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
+  }
+
+  function m11($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10)
+  {
+    $arr = explode('a', 'b');
+  }
+}
+
+function f($str)
+{
+  $obj =& new C;
+  $obj->m1();
+  return TRUE;
+}
+
+function p5($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10, $a11, $a12)
+{
+  $ret = array_filter(array(0), 'f');
+}
+
+function p4()
+{
+  p5(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12);
+}
+
+function p3()
+{
+  p4();
+}
+
+function p2()
+{
+  p3();
+}
+
+function p1()
+{
+  p2();
+}
+
+p1();
+echo "ok\n";
+?>
+--EXPECT--
+ok