diff options
| author | Xinchen Hui <laruence@gmail.com> | 2019-01-02 12:09:47 +0800 | 
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2019-01-02 12:09:47 +0800 | 
| commit | 8ebae84674c75c3483550fb6e9da49122d952c99 (patch) | |
| tree | c96fa263b74f1d90de648b365d9054d3ebafb10d | |
| parent | b0cfa28d6d4e6f7855093b4fb66ccf3a2d07660e (diff) | |
| download | php-git-8ebae84674c75c3483550fb6e9da49122d952c99.tar.gz | |
Fixed bug #77395 (segfault about array_multisort)
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/standard/array.c | 9 | ||||
| -rw-r--r-- | ext/standard/tests/array/bug77395.phpt | 16 | 
3 files changed, 24 insertions, 4 deletions
| @@ -9,6 +9,9 @@ PHP                                                                        NEWS    . Fixed bug #76839 (socket_recvfrom may return an invalid 'from' address      on MacOS). (Michael Meyer) +- Standard: +  . Fixed bug #77395 (segfault about array_multisort). (Laruence) +  03 Jan 2019, PHP 7.2.14  - Core: diff --git a/ext/standard/array.c b/ext/standard/array.c index dfff41b6aa..e810defcda 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -5555,7 +5555,7 @@ PHPAPI int php_multisort_compare(const void *a, const void *b) /* {{{ */  /* }}} */  #define MULTISORT_ABORT				\ -	efree(ARRAYG(multisort_func));	\ +	efree(func);	\  	efree(arrays);					\  	RETURN_FALSE; @@ -5587,6 +5587,7 @@ PHP_FUNCTION(array_multisort)  	int				sort_order = PHP_SORT_ASC;  	int				sort_type  = PHP_SORT_REGULAR;  	int				i, k, n; +	compare_func_t  *func;  	ZEND_PARSE_PARAMETERS_START(1, -1)  		Z_PARAM_VARIADIC('+', args, argc) @@ -5597,7 +5598,7 @@ PHP_FUNCTION(array_multisort)  	for (i = 0; i < MULTISORT_LAST; i++) {  		parse_state[i] = 0;  	} -	ARRAYG(multisort_func) = (compare_func_t*)ecalloc(argc, sizeof(compare_func_t)); +	func = ARRAYG(multisort_func) = (compare_func_t*)ecalloc(argc, sizeof(compare_func_t));  	/* Here we go through the input arguments and parse them. Each one can  	 * be either an array or a sort flag which follows an array. If not @@ -5681,7 +5682,7 @@ PHP_FUNCTION(array_multisort)  	/* If all arrays are empty we don't need to do anything. */  	if (array_size < 1) { -		efree(ARRAYG(multisort_func)); +		efree(func);  		efree(arrays);  		RETURN_TRUE;  	} @@ -5740,7 +5741,7 @@ PHP_FUNCTION(array_multisort)  		efree(indirect[i]);  	}  	efree(indirect); -	efree(ARRAYG(multisort_func)); +	efree(func);  	efree(arrays);  	RETURN_TRUE;  } diff --git a/ext/standard/tests/array/bug77395.phpt b/ext/standard/tests/array/bug77395.phpt new file mode 100644 index 0000000000..7910e36982 --- /dev/null +++ b/ext/standard/tests/array/bug77395.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #77395 (segfault about array_multisort) +--FILE-- +<?php +function error_handle($level, $message, $file = '', $line = 0){ +	$a = [1,2,3]; +	$b = [3,2,1]; +	echo $message; +	array_multisort($a, SORT_ASC, $b); // if comment this line, no segfault happen +} +set_error_handler('error_handle'); +$data = [['aa'=> 'bb',], ['aa'=> 'bb',],]; +array_multisort(array_column($data, 'bb'),SORT_DESC, $data); // PHP Warning error  +?> +--EXPECT-- +array_multisort(): Array sizes are inconsistent | 
