diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/zend_ini_parser.y | 7 | ||||
| -rw-r--r-- | ext/standard/tests/general_functions/bug70947.phpt | 12 |
3 files changed, 19 insertions, 1 deletions
@@ -3,6 +3,7 @@ PHP NEWS ?? ??? 2015, PHP 7.0.1 - Core: + . Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED). (Laruence) . Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions). (Laruence) . Fixed bug #70914 (zend_throw_or_error() format string vulnerability). diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y index e3042b80c1..d6f33159d8 100644 --- a/Zend/zend_ini_parser.y +++ b/Zend/zend_ini_parser.y @@ -109,8 +109,13 @@ static void zend_ini_add_string(zval *result, zval *op1, zval *op2) ZVAL_PSTRINGL(op1, str->val, str->len); zend_string_release(str); } - op1_len = (int)Z_STRLEN_P(op1); + + if (Z_TYPE_P(op2) != IS_STRING) { + zend_string *str = zval_get_string(op2); + ZVAL_PSTRINGL(op2, str->val, str->len); + zend_string_release(str); + } length = op1_len + (int)Z_STRLEN_P(op2); ZVAL_NEW_STR(result, zend_string_extend(Z_STR_P(op1), length, 1)); diff --git a/ext/standard/tests/general_functions/bug70947.phpt b/ext/standard/tests/general_functions/bug70947.phpt new file mode 100644 index 0000000000..d07e5a331f --- /dev/null +++ b/ext/standard/tests/general_functions/bug70947.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #70947 (INI parser segfault with INI_SCANNER_TYPED) +--FILE-- +<?php +$o = parse_ini_string('foo = bar 123', FALSE, INI_SCANNER_TYPED); +var_dump($o); +?> +--EXPECT-- +array(1) { + ["foo"]=> + string(7) "bar 123" +} |