diff options
| author | Xinchen Hui <laruence@gmail.com> | 2015-12-07 10:58:26 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2015-12-07 10:58:26 +0800 |
| commit | e48988311d2e726eeeb25ebbbde42146c0f53b48 (patch) | |
| tree | 6374a561d353deecbb0e3236c3ad42136eb1559e | |
| parent | 03a43d50e1e18cc809034ce9d5de54bfc99f76f7 (diff) | |
| download | php-git-e48988311d2e726eeeb25ebbbde42146c0f53b48.tar.gz | |
Fixed bug #71020 (Use after free in Collator::sortWithSortKeys)
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/intl/collator/collator_sort.c | 4 | ||||
| -rw-r--r-- | ext/intl/tests/bug71020.phpt | 15 |
3 files changed, 22 insertions, 1 deletions
@@ -34,6 +34,10 @@ PHP NEWS - CLI server: . Fixed bug #71005 (Segfault in php_cli_server_dispatch_router()). (Adam) +- Intl: + . Fixed bug #71020 (Use after free in Collator::sortWithSortKeys). + (emmanuel dot law at gmail dot com, Laruence) + - Mysqlnd: . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction). (Laruence) diff --git a/ext/intl/collator/collator_sort.c b/ext/intl/collator/collator_sort.c index deb2f7b8d9..1ad42d3660 100644 --- a/ext/intl/collator/collator_sort.c +++ b/ext/intl/collator/collator_sort.c @@ -363,6 +363,7 @@ static void collator_sortkey_swap(collator_sort_key_index_t *p, collator_sort_ke PHP_FUNCTION( collator_sort_with_sort_keys ) { zval* array = NULL; + zval garbage; HashTable* hash = NULL; zval* hashData = NULL; /* currently processed item of input hash */ @@ -505,7 +506,7 @@ PHP_FUNCTION( collator_sort_with_sort_keys ) zend_sort( sortKeyIndxBuf, sortKeyCount, sortKeyIndxSize, collator_cmp_sort_keys, (swap_func_t)collator_sortkey_swap); - zval_ptr_dtor( array ); + ZVAL_COPY_VALUE(&garbage, array); /* for resulting hash we'll assign new hash keys rather then reordering */ array_init(array); @@ -518,6 +519,7 @@ PHP_FUNCTION( collator_sort_with_sort_keys ) if( utf16_buf ) efree( utf16_buf ); + zval_ptr_dtor(&garbage); efree( sortKeyIndxBuf ); efree( sortKeyBuf ); diff --git a/ext/intl/tests/bug71020.phpt b/ext/intl/tests/bug71020.phpt new file mode 100644 index 0000000000..368d967efd --- /dev/null +++ b/ext/intl/tests/bug71020.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #71020 (Use after free in Collator::sortWithSortKeys) +--SKIPIF-- +<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?> +--FILE-- +<?php + +$var_3=new Collator("Whatever"); +for($x=0;$x<0xbb;$x++) + $myarray[substr(md5(microtime()),rand(0,26),9) . strval($x)]= substr(md5(microtime()),rand(0,26),9) . strval($x); +$var_3->sortWithSortKeys($myarray); +?> +okey +--EXPECT-- +okey |