diff options
| author | Dmitry Stogov <dmitry@php.net> | 2009-08-14 06:18:47 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2009-08-14 06:18:47 +0000 |
| commit | 85cee656e432714cf2c7d2b990d65aae63254feb (patch) | |
| tree | 6da10ffb85751bccb64daf5b6abd629bbbb8c4e4 | |
| parent | ae38f7ad1c8e5ff0379e760e030eb459ef365a32 (diff) | |
| download | php-git-85cee656e432714cf2c7d2b990d65aae63254feb.tar.gz | |
Fixed crash in usort() and uasort() in case user comparison function modifyes the array.
| -rw-r--r-- | ext/standard/array.c | 53 |
1 files changed, 46 insertions, 7 deletions
diff --git a/ext/standard/array.c b/ext/standard/array.c index 4604cdb942..b834b08ffb 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -657,6 +657,7 @@ static int array_user_compare(const void *a, const void *b TSRMLS_DC) /* {{{ */ PHP_FUNCTION(usort) { zval **array; + int refcount; HashTable *target_hash; PHP_ARRAY_CMP_FUNC_VARS; @@ -678,12 +679,31 @@ PHP_FUNCTION(usort) PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) BG(user_compare_fci_cache).initialized = 0; + /* Clear the is_ref flag, so the attemts to modify the array in user + * comaprison function will create a copy of array and won't affect the + * original array. The fact of modification is detected using refcount + * comparison. The result of sorting in such case is undefined and the + * function returns FALSE. + */ + (*array)->is_ref = 0; + refcount = (*array)->refcount; + if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 1 TSRMLS_CC) == FAILURE) { - PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_FALSE; + RETVAL_FALSE; + } else { + if (refcount > (*array)->refcount) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was modified by the user comparison function"); + RETVAL_FALSE; + } else { + RETVAL_TRUE; + } + } + + if ((*array)->refcount > 1) { + (*array)->is_ref = 1; } + PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_TRUE; } /* }}} */ @@ -692,6 +712,7 @@ PHP_FUNCTION(usort) PHP_FUNCTION(uasort) { zval **array; + int refcount; HashTable *target_hash; PHP_ARRAY_CMP_FUNC_VARS; @@ -711,13 +732,31 @@ PHP_FUNCTION(uasort) PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) BG(user_compare_fci_cache).initialized = 0; + /* Clear the is_ref flag, so the attemts to modify the array in user + * comaprison function will create a copy of array and won't affect the + * original array. The fact of modification is detected using refcount + * comparison. The result of sorting in such case is undefined and the + * function returns FALSE. + */ + (*array)->is_ref = 0; + refcount = (*array)->refcount; + if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 0 TSRMLS_CC) == FAILURE) { - PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_FALSE; + RETVAL_FALSE; + } else { + if (refcount > (*array)->refcount) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array was modified by the user comparison function"); + RETVAL_FALSE; + } else { + RETVAL_TRUE; + } } - PHP_ARRAY_CMP_FUNC_RESTORE(); - RETURN_TRUE; + if ((*array)->refcount > 1) { + (*array)->is_ref = 1; + } + + PHP_ARRAY_CMP_FUNC_RESTORE(); } /* }}} */ |