Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.

author: Dmitry Stogov <dmitry@php.net> 2010-05-11 10:41:19 +0000
committer: Dmitry Stogov <dmitry@php.net> 2010-05-11 10:41:19 +0000
commit: 5b18acdcc917e93ef9470119c034210ad0129de8 (patch)
tree: a4509a033995851478a040187c7a77a7fa27b2f5 /Zend/zend_API.c
parent: 962aa93ec78493441a322630b70261d1b0a74e64 (diff)
download: php-git-5b18acdcc917e93ef9470119c034210ad0129de8.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 0b9823a989..49464705da 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -412,6 +412,12 @@ static char *zend_parse_arg_impl(int arg_num, zval **arg, va_list *va, char **sp
 					case IS_DOUBLE:
 					case IS_BOOL:
 						convert_to_string_ex(arg);
+						if (UNEXPECTED(Z_ISREF_PP(arg) != 0)) {
+							/* it's dangerous to return pointers to string
+							   buffer of referenced variable, because it can
+							   be clobbered throug magic callbacks */
+							SEPARATE_ZVAL(arg);
+						}
 						*p = Z_STRVAL_PP(arg);
 						*pl = Z_STRLEN_PP(arg);
 						break;
author	Dmitry Stogov <dmitry@php.net>	2010-05-11 10:41:19 +0000
committer	Dmitry Stogov <dmitry@php.net>	2010-05-11 10:41:19 +0000
commit	5b18acdcc917e93ef9470119c034210ad0129de8 (patch)
tree	a4509a033995851478a040187c7a77a7fa27b2f5 /Zend/zend_API.c
parent	962aa93ec78493441a322630b70261d1b0a74e64 (diff)
download	php-git-5b18acdcc917e93ef9470119c034210ad0129de8.tar.gz