php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78070 dbase functions may modify passed array
Submitted: 2019-05-26 15:47 UTC Modified: 2019-05-26 16:53 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: dbase (PECL)
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: None
 [2019-05-26 15:47 UTC] cmb@php.net
Description:
------------
dbase_create(), dbase_add_record() and dbase_replace_record()
modify their array argument, albeit passed by value, if a string
is expected, but a compatible type is given.


Test script:
---------------
<?php
$def = array([17, 'C', 10]);
$dbh = dbase_create('test.dbf', $def);
var_dump($def);
$record = [4];
dbase_add_record($dbh, $record);
dbase_close($dbh);
var_dump($record);
?>


Expected result:
----------------
array(1) {
  [0]=>
  array(3) {
    [0]=>
    int(17)
    [1]=>
    string(1) "C"
    [2]=>
    int(10)
  }
}
array(1) {
  [0]=>
  int(4)
}

Actual result:
--------------
array(1) {
  [0]=>
  array(3) {
    [0]=>
    string(2) "17"
    [1]=>
    string(1) "C"
    [2]=>
    int(10)
  }
}
array(1) {
  [0]=>
  string(1) "4"
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-26 15:48 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2019-05-26 16:50 UTC] cmb@php.net
-Summary: dbase function may modify passed array +Summary: dbase functions may modify passed array
 [2019-05-26 16:53 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=347491
Log: Fix #78070: dbase functions may modify passed array

We must not convert elements of arrays directly, which have been passed
as arguments; instead we need to convert copies of those elements.
 [2019-05-26 16:53 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2019-05-26 18:47 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=347492
Log: Fix fix for bug 78070

We must not assume that `value` has the desired type, but use `tmp_value` instead.
We also make sure to `zval_dtor` the `tmp_value` in case of failure (although
`zval_dtor`ing scalars is not strictly neccessary at all).
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Jan 23 05:01:24 2020 UTC