Fixed a possible memory corruption in pack(). Reported by Stefan Esser

author: Dmitry Stogov <dmitry@php.net> 2010-05-12 11:04:57 +0000
committer: Dmitry Stogov <dmitry@php.net> 2010-05-12 11:04:57 +0000
commit: 5fc060e6719a9508c081bbe5b955dee65d2e799e (patch)
tree: 8a3459ca6594bb66fd992278882f8e2326a53709
parent: 0bb08c61f8a5d7f4f194c58165e90f2fb9d7abd7 (diff)
download: php-git-5fc060e6719a9508c081bbe5b955dee65d2e799e.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index 5888039dc4..e0c7be42b4 100644
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -120,6 +120,9 @@ PHP_FUNCTION(pack)
 		return;
 	}
 
+	if (Z_ISREF_PP(argv[0])) {
+		SEPARATE_ZVAL(argv[0]);
+	}
 	convert_to_string_ex(argv[0]);
 
 	format = Z_STRVAL_PP(argv[0]);
@@ -178,6 +181,9 @@ PHP_FUNCTION(pack)
 				}
 
 				if (arg < 0) {
+					if (Z_ISREF_PP(argv[currentarg])) {
+						SEPARATE_ZVAL(argv[currentarg]);
+					}
 					convert_to_string_ex(argv[currentarg]);
 					arg = Z_STRLEN_PP(argv[currentarg]);
 				}
@@ -311,6 +317,9 @@ PHP_FUNCTION(pack)
 			case 'A': 
 				memset(&output[outputpos], (code == 'a') ? '\0' : ' ', arg);
 				val = argv[currentarg++];
+				if (Z_ISREF_PP(val)) {
+					SEPARATE_ZVAL(val);
+				}
 				convert_to_string_ex(val);
 				memcpy(&output[outputpos], Z_STRVAL_PP(val),
 					   (Z_STRLEN_PP(val) < arg) ? Z_STRLEN_PP(val) : arg);
@@ -324,6 +333,9 @@ PHP_FUNCTION(pack)
 				char *v;
 
 				val = argv[currentarg++];
+				if (Z_ISREF_PP(val)) {
+					SEPARATE_ZVAL(val);
+				}
 				convert_to_string_ex(val);
 				v = Z_STRVAL_PP(val);
 				outputpos--;
author	Dmitry Stogov <dmitry@php.net>	2010-05-12 11:04:57 +0000
committer	Dmitry Stogov <dmitry@php.net>	2010-05-12 11:04:57 +0000
commit	5fc060e6719a9508c081bbe5b955dee65d2e799e (patch)
tree	8a3459ca6594bb66fd992278882f8e2326a53709
parent	0bb08c61f8a5d7f4f194c58165e90f2fb9d7abd7 (diff)
download	php-git-5fc060e6719a9508c081bbe5b955dee65d2e799e.tar.gz