diff options
| author | Dmitry Stogov <dmitry@php.net> | 2009-01-20 11:22:45 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2009-01-20 11:22:45 +0000 |
| commit | d1958eeea8b3c45043d4e61bf5f7dceba28d4c73 (patch) | |
| tree | b4c6ffeef4d74e443155af738aefbeee0b6f1984 | |
| parent | e596baa520a5be321dccc13f912994dfe4b5577c (diff) | |
| download | php-git-d1958eeea8b3c45043d4e61bf5f7dceba28d4c73.tar.gz | |
Fixed bug #47165 (Possible memory corruption when passing return value by reference)
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug47165.phpt | 20 | ||||
| -rw-r--r-- | Zend/zend_compile.c | 13 | ||||
| -rw-r--r-- | ext/standard/tests/array/extract_variation9.phpt | 2 |
4 files changed, 35 insertions, 2 deletions
@@ -48,6 +48,8 @@ PHP NEWS - Fixed building of pdo_sqlite without sqlite3. (Scott) +- Fixed bug #47165 (Possible memory corruption when passing return value by + reference). (Dmitry) - Fixed bug #47145 + #47159 (Always free failed SQLite statements). (Scott) - Fixed bug #47141 (Unable to fetch error messages from SQLite when the database can't be opened). (Scott) diff --git a/Zend/tests/bug47165.phpt b/Zend/tests/bug47165.phpt new file mode 100644 index 0000000000..343c98c1ee --- /dev/null +++ b/Zend/tests/bug47165.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #47165 (Possible memory corruption when passing return value by reference) +--FILE-- +<?php +class Foo { + var $bar = array(); + + static function bar() { + static $instance = null; + $instance = new Foo(); + return $instance->bar; + } +} +extract(Foo::bar()); +echo "ok\n"; +?> +--EXPECTF-- + +Strict Standards: Only variables should be passed by reference in %sbug47165.php on line 11 +ok diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index ed29206775..4c86b98e39 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -2128,8 +2128,17 @@ void zend_do_pass_param(znode *param, zend_uchar op, int offset TSRMLS_DC) if (function_ptr) { if (ARG_MAY_BE_SENT_BY_REF(function_ptr, (zend_uint) offset)) { - op = (param->op_type & (IS_VAR|IS_CV))?ZEND_SEND_REF:ZEND_SEND_VAL; - send_by_reference = 0; + if (param->op_type & (IS_VAR|IS_CV)) { + send_by_reference = 1; + if (op == ZEND_SEND_VAR && zend_is_function_or_method_call(param)) { + /* Method call */ + op = ZEND_SEND_VAR_NO_REF; + send_function = ZEND_ARG_SEND_FUNCTION; + } + } else { + op = ZEND_SEND_VAL; + send_by_reference = 0; + } } else { send_by_reference = ARG_SHOULD_BE_SENT_BY_REF(function_ptr, (zend_uint) offset) ? ZEND_ARG_SEND_BY_REF : 0; } diff --git a/ext/standard/tests/array/extract_variation9.phpt b/ext/standard/tests/array/extract_variation9.phpt index 9d1db4cc7b..e0b3a75fb8 100644 --- a/ext/standard/tests/array/extract_variation9.phpt +++ b/ext/standard/tests/array/extract_variation9.phpt @@ -16,5 +16,7 @@ echo "Done\n"; ?> --EXPECTF-- *** Testing for object *** + +Strict Standards: Only variables should be passed by reference in %sextract_variation9.php on line 10 int(1) Done |