Fixed #70157 parse_ini_string() segmentation fault with INI_SCANNER_TYPED

3 files changed, 52 insertions, 7 deletions

diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y
index 952ef9c506..22b92db033 100644
--- a/Zend/zend_ini_parser.y
+++ b/Zend/zend_ini_parser.y
@@ -108,7 +108,18 @@ static void zend_ini_init_string(zval *result)
 */
 static void zend_ini_add_string(zval *result, zval *op1, zval *op2)
 {
-	int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
+	int length;
+
+	if (Z_TYPE_P(op1) != IS_STRING) {
+		zval copy;
+		MAKE_COPY_ZVAL(&op1, &copy);
+		convert_to_string(&copy);
+		Z_STRVAL_P(op1) = zend_strndup(Z_STRVAL(copy), Z_STRLEN(copy));
+		Z_STRLEN_P(op1) = Z_STRLEN(copy);
+		zval_dtor(&copy);
+	}
+
+	length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
 
 	Z_STRVAL_P(result) = (char *) realloc(Z_STRVAL_P(op1), length+1);
 	memcpy(Z_STRVAL_P(result)+Z_STRLEN_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
@@ -213,7 +224,7 @@ ZEND_API int zend_parse_ini_file(zend_file_handle *fh, zend_bool unbuffered_erro
 	zend_file_handle_dtor(fh TSRMLS_CC);
 
 	shutdown_ini_scanner(TSRMLS_C);
-	
+
 	if (retval == 0) {
 		return SUCCESS;
 	} else {
@@ -303,7 +314,11 @@ statement:
 #endif
 			ZEND_INI_PARSER_CB(&$1, &$5, &$2, ZEND_INI_PARSER_POP_ENTRY, ZEND_INI_PARSER_ARG TSRMLS_CC);
 			free(Z_STRVAL($1));
-			free(Z_STRVAL($2));
+			if (Z_TYPE($2) == IS_STRING) {
+				free(Z_STRVAL($2));
+			} else {
+				zval_dtor(&$2);
+			}
 			zval_internal_dtor(&$5);
 		}
 	|	TC_LABEL	{ ZEND_INI_PARSER_CB(&$1, NULL, NULL, ZEND_INI_PARSER_ENTRY, ZEND_INI_PARSER_ARG TSRMLS_CC); free(Z_STRVAL($1)); }
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 07348a23f7..1abe3e60ab 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -3515,7 +3515,7 @@ PHPAPI double php_get_inf(void) /* {{{ */
 
 #define BASIC_ADD_SUBMODULE(module) \
 	zend_hash_add_empty_element(&basic_submodules, #module, strlen(#module));
-	
+
 #define BASIC_RINIT_SUBMODULE(module) \
 	if (zend_hash_exists(&basic_submodules, #module, strlen(#module))) { \
 		PHP_RINIT(module)(INIT_FUNC_ARGS_PASSTHRU); \
@@ -5903,10 +5903,11 @@ static void php_simple_ini_parser_cb(zval *arg1, zval *arg2, zval *arg3, int cal
 			ALLOC_ZVAL(element);
 			MAKE_COPY_ZVAL(&arg2, element);
 
-			if (arg3 && Z_STRLEN_P(arg3) > 0) {
-				add_assoc_zval_ex(hash, Z_STRVAL_P(arg3), Z_STRLEN_P(arg3) + 1, element);
-			} else {
+			if (!arg3 || (Z_TYPE_P(arg3) == IS_STRING && Z_STRLEN_P(arg3) == 0)) {
 				add_next_index_zval(hash, element);
+			} else {
+				array_set_zval_key(Z_ARRVAL_P(hash), arg3, element);
+				zval_ptr_dtor(&element);
 			}
 		}
 		break;
diff --git a/ext/standard/tests/general_functions/bug70157.phpt b/ext/standard/tests/general_functions/bug70157.phpt
new file mode 100644
index 0000000000..f593682051
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug70157.phpt
@@ -0,0 +1,29 @@
+--TEST--
+parse_ini_string() crashes on values starting with number or unquoted strings
+--FILE--
+<?php
+
+$contents = <<<EOS
+[agatha.christie]
+title = 10 little indians
+foo[123] = E_ALL & ~E_DEPRECATED
+foo[456] = 123
+EOS;
+
+var_dump(parse_ini_string($contents, false, INI_SCANNER_TYPED));
+
+?>
+Done
+--EXPECTF--
+array(%d) {
+  ["title"]=>
+  string(%d) "10 little indians"
+  ["foo"]=>
+  array(%d) {
+    [123]=>
+    string(%d) "24575"
+    [456]=>
+    int(123)
+  }
+}
+Done