diff options
| -rw-r--r-- | ext/intl/collator/collator_sort.c | 4 | ||||
| -rw-r--r-- | ext/intl/tests/bug71020.phpt | 15 |
2 files changed, 18 insertions, 1 deletions
diff --git a/ext/intl/collator/collator_sort.c b/ext/intl/collator/collator_sort.c index deb2f7b8d9..1ad42d3660 100644 --- a/ext/intl/collator/collator_sort.c +++ b/ext/intl/collator/collator_sort.c @@ -363,6 +363,7 @@ static void collator_sortkey_swap(collator_sort_key_index_t *p, collator_sort_ke PHP_FUNCTION( collator_sort_with_sort_keys ) { zval* array = NULL; + zval garbage; HashTable* hash = NULL; zval* hashData = NULL; /* currently processed item of input hash */ @@ -505,7 +506,7 @@ PHP_FUNCTION( collator_sort_with_sort_keys ) zend_sort( sortKeyIndxBuf, sortKeyCount, sortKeyIndxSize, collator_cmp_sort_keys, (swap_func_t)collator_sortkey_swap); - zval_ptr_dtor( array ); + ZVAL_COPY_VALUE(&garbage, array); /* for resulting hash we'll assign new hash keys rather then reordering */ array_init(array); @@ -518,6 +519,7 @@ PHP_FUNCTION( collator_sort_with_sort_keys ) if( utf16_buf ) efree( utf16_buf ); + zval_ptr_dtor(&garbage); efree( sortKeyIndxBuf ); efree( sortKeyBuf ); diff --git a/ext/intl/tests/bug71020.phpt b/ext/intl/tests/bug71020.phpt new file mode 100644 index 0000000000..368d967efd --- /dev/null +++ b/ext/intl/tests/bug71020.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #71020 (Use after free in Collator::sortWithSortKeys) +--SKIPIF-- +<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?> +--FILE-- +<?php + +$var_3=new Collator("Whatever"); +for($x=0;$x<0xbb;$x++) + $myarray[substr(md5(microtime()),rand(0,26),9) . strval($x)]= substr(md5(microtime()),rand(0,26),9) . strval($x); +$var_3->sortWithSortKeys($myarray); +?> +okey +--EXPECT-- +okey |