Patch bug51329.patch for Reproducible crash Bug #51329
Patch version 2012-04-28 07:25 UTC
Return to Bug #51329 |
Download this patch
Patch Revisions:
Developer: laruence@php.net
--- php-5.2.17/ext/standard/basic_functions.c 2010-06-20 06:23:01.000000000 +0800
+++ ext/standard/basic_functions.c 2012-04-28 15:21:25.115358149 +0800
@@ -5173,33 +5173,36 @@
Call a user function which is the first parameter with the arguments contained in array */
PHP_FUNCTION(call_user_func_array)
{
- zval ***func_params, **func, **params;
+ zval ***func_params, **func_ptr, **params_ptr, *func, *params;
zval *retval_ptr;
HashTable *func_params_ht;
char *name;
int count;
int current = 0;
- if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &func, ¶ms) == FAILURE) {
+ if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &func_ptr, ¶ms_ptr) == FAILURE) {
WRONG_PARAM_COUNT;
}
- SEPARATE_ZVAL(params);
- convert_to_array_ex(params);
+ SEPARATE_ZVAL(params_ptr);
+ convert_to_array_ex(params_ptr);
- if (Z_TYPE_PP(func) != IS_STRING && Z_TYPE_PP(func) != IS_ARRAY) {
- SEPARATE_ZVAL(func);
- convert_to_string_ex(func);
+ if (Z_TYPE_PP(func_ptr) != IS_STRING && Z_TYPE_PP(func_ptr) != IS_ARRAY) {
+ SEPARATE_ZVAL(func_ptr);
+ convert_to_string_ex(func_ptr);
}
- if (!zend_is_callable(*func, 0, &name)) {
+ /* there might be a stack resize while calling zend_is_callable */
+ func = *func_ptr;
+ params = *params_ptr;
+
+ if (!zend_is_callable(func, 0, &name)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "First argument is expected to be a valid callback, '%s' was given", name);
efree(name);
RETURN_NULL();
}
- func_params_ht = Z_ARRVAL_PP(params);
-
+ func_params_ht = Z_ARRVAL_P(params);
count = zend_hash_num_elements(func_params_ht);
if (count) {
func_params = safe_emalloc(sizeof(zval **), count, 0);
@@ -5214,7 +5217,7 @@
func_params = NULL;
}
- if (call_user_function_ex(EG(function_table), NULL, *func, &retval_ptr, count, func_params, 0, NULL TSRMLS_CC) == SUCCESS) {
+ if (call_user_function_ex(EG(function_table), NULL, func, &retval_ptr, count, func_params, 0, NULL TSRMLS_CC) == SUCCESS) {
if (retval_ptr) {
COPY_PZVAL_TO_ZVAL(*return_value, retval_ptr);
}
|