diff options
| author | Dmitry Stogov <dmitry@php.net> | 2009-08-14 06:20:21 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2009-08-14 06:20:21 +0000 |
| commit | 85560842c27706689c926df4516534088f1a6325 (patch) | |
| tree | 6705c75294d3d63488ac9dfb057ffced26758d9f /ext/standard/array.c | |
| parent | 5ca166b1d268373935c716c1d68482f723082e33 (diff) | |
| download | php-git-85560842c27706689c926df4516534088f1a6325.tar.gz | |
Fixed crash in usort() and uasort() in case user comparison function modifyes th
e array.
Diffstat (limited to 'ext/standard/array.c')
| -rw-r--r-- | ext/standard/array.c | 52 |
1 files changed, 46 insertions, 6 deletions
diff --git a/ext/standard/array.c b/ext/standard/array.c index e9a68463c6..ab02c6f430 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -629,6 +629,7 @@ static int php_array_user_compare(const void *a, const void *b TSRMLS_DC) /* {{{ PHP_FUNCTION(usort) { zval *array; + int refcount; PHP_ARRAY_CMP_FUNC_VARS; PHP_ARRAY_CMP_FUNC_BACKUP(); @@ -638,12 +639,31 @@ PHP_FUNCTION(usort) return; } + /* Clear the is_ref flag, so the attemts to modify the array in user + * comaprison function will create a copy of array and won't affect the + * original array. The fact of modification is detected using refcount + * comparison. The result of sorting in such case is undefined and the + * function returns FALSE. + */ + Z_UNSET_ISREF_P(array); + refcount = Z_REFCOUNT_P(array); + if (zend_hash_sort(Z_ARRVAL_P(array), zend_qsort, php_array_user_compare, 1 TSRMLS_CC) == FAILURE) { - PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_FALSE; + RETVAL_FALSE; + } else { + if (refcount > Z_REFCOUNT_P(array)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was modified by the user comparison function"); + RETVAL_FALSE; + } else { + RETVAL_TRUE; + } + } + + if (Z_REFCOUNT_P(array) > 1) { + Z_SET_ISREF_P(array); } + PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_TRUE; } /* }}} */ @@ -652,6 +672,7 @@ PHP_FUNCTION(usort) PHP_FUNCTION(uasort) { zval *array; + int refcount; PHP_ARRAY_CMP_FUNC_VARS; PHP_ARRAY_CMP_FUNC_BACKUP(); @@ -661,12 +682,31 @@ PHP_FUNCTION(uasort) return; } + /* Clear the is_ref flag, so the attemts to modify the array in user + * comaprison function will create a copy of array and won't affect the + * original array. The fact of modification is detected using refcount + * comparison. The result of sorting in such case is undefined and the + * function returns FALSE. + */ + Z_UNSET_ISREF_P(array); + refcount = Z_REFCOUNT_P(array); + if (zend_hash_sort(Z_ARRVAL_P(array), zend_qsort, php_array_user_compare, 0 TSRMLS_CC) == FAILURE) { - PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_FALSE; + RETVAL_FALSE; + } else { + if (refcount > Z_REFCOUNT_P(array)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was modified by the user comparison function"); + RETVAL_FALSE; + } else { + RETVAL_TRUE; + } + } + + if (Z_REFCOUNT_P(array) > 1) { + Z_SET_ISREF_P(array); } + PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_TRUE; } /* }}} */ |