Fix #46222 (Allow indirect modifications of Arrays inside ArrayObject + fix EG(uninitialized_zval_ptr) overwrite)

3 files changed, 46 insertions, 6 deletions

diff --git a/NEWS b/NEWS
index fa661b9756..875aea4fa1 100644
--- a/NEWS
+++ b/NEWS
@@ -141,6 +141,8 @@ PHP                                                                        NEWS
 - Fixed bug #42318 (problem with nm on AIX, not finding object files). (Dmitry)
 - Fixed bug #41348 (OCI8: allow compilation with Oracle 8.1). (Chris Jones)
 - Fixed bug #14032 (Mail() always returns false but mail is sent). (Mikko)
+- Fixed bug #46222 (ArrayObject EG(uninitialized_var_ptr) overwrite).
+  (Etienne)
 
 01 May 2008, PHP 5.2.6
 - Fixed two possible crashes inside posix extension (Tony)
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 5398dd85f9..257b503dce 100755
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -255,6 +255,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
 	spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
 	zval **retval;
 	long index;
+	HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
 
 /*  We cannot get the pointer pointer so we don't allow it here for now
 	if (check_inherited && intern->fptr_offset_get) {
@@ -267,9 +268,17 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
 	
 	switch(Z_TYPE_P(offset)) {
 	case IS_STRING:
-		if (zend_symtable_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
-			zend_error(E_NOTICE, "Undefined index:  %s", Z_STRVAL_P(offset));
-			return &EG(uninitialized_zval_ptr);
+		if (zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
+			if (type == BP_VAR_W || type == BP_VAR_RW) {
+				zval *value;
+				ALLOC_INIT_ZVAL(value);
+				zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
+				zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval);
+				return retval;
+			} else {
+				zend_error(E_NOTICE, "Undefined index:  %s", Z_STRVAL_P(offset));
+				return &EG(uninitialized_zval_ptr);
+			}
 		} else {
 			return retval;
 		}
@@ -282,9 +291,17 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
 		} else {
 			index = Z_LVAL_P(offset);
 		}
-		if (zend_hash_index_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), index, (void **) &retval) == FAILURE) {
-			zend_error(E_NOTICE, "Undefined offset:  %ld", Z_LVAL_P(offset));
-			return &EG(uninitialized_zval_ptr);
+		if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) {
+			if (type == BP_VAR_W || type == BP_VAR_RW) {
+				zval *value;
+				ALLOC_INIT_ZVAL(value);
+				zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL);
+				zend_hash_index_find(ht, index, (void **) &retval);
+				return retval;
+			} else {
+				zend_error(E_NOTICE, "Undefined offset:  %ld", Z_LVAL_P(offset));
+				return &EG(uninitialized_zval_ptr);
+			}
 		} else {
 			return retval;
 		}
diff --git a/ext/spl/tests/array_026.phpt b/ext/spl/tests/array_026.phpt
new file mode 100644
index 0000000000..94642f04b2
--- /dev/null
+++ b/ext/spl/tests/array_026.phpt
@@ -0,0 +1,21 @@
+--TEST--
+SPL: ArrayObject indirect offsetGet overwriting EG(uninitialized_zvar_ptr)
+--FILE--
+<?php
+$test = new ArrayObject();
+$test['d1']['d2'] = 'hello';
+$test['d1']['d3'] = 'world';
+var_dump($test, $test3['mmmmm']);
+?>
+--EXPECTF--
+Notice: Undefined variable: test3 in %s%earray_026.php on line %d
+object(ArrayObject)#%d (1) {
+  ["d1"]=>
+  array(2) {
+    ["d2"]=>
+    string(5) "hello"
+    ["d3"]=>
+    string(5) "world"
+  }
+}
+NULL