php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #51329
Patch bug51329.patch revision 2012-04-28 07:25 UTC by laruence@php.net

Patch bug51329.patch for Reproducible crash Bug #51329

Patch version 2012-04-28 07:25 UTC

Return to Bug #51329 | Download this patch
Patch Revisions:

Developer: laruence@php.net

--- php-5.2.17/ext/standard/basic_functions.c	2010-06-20 06:23:01.000000000 +0800
+++ ext/standard/basic_functions.c	2012-04-28 15:21:25.115358149 +0800
@@ -5173,33 +5173,36 @@
    Call a user function which is the first parameter with the arguments contained in array */
 PHP_FUNCTION(call_user_func_array)
 {
-	zval ***func_params, **func, **params;
+	zval ***func_params, **func_ptr, **params_ptr, *func, *params;
 	zval *retval_ptr;
 	HashTable *func_params_ht;
 	char *name;
 	int count;
 	int current = 0;
 
-	if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &func, &params) == FAILURE) {
+	if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &func_ptr, &params_ptr) == FAILURE) {
 		WRONG_PARAM_COUNT;
 	}
 
-	SEPARATE_ZVAL(params);
-	convert_to_array_ex(params);
+	SEPARATE_ZVAL(params_ptr);
+	convert_to_array_ex(params_ptr);
 
-	if (Z_TYPE_PP(func) != IS_STRING && Z_TYPE_PP(func) != IS_ARRAY) {
-		SEPARATE_ZVAL(func);
-		convert_to_string_ex(func);
+	if (Z_TYPE_PP(func_ptr) != IS_STRING && Z_TYPE_PP(func_ptr) != IS_ARRAY) {
+		SEPARATE_ZVAL(func_ptr);
+		convert_to_string_ex(func_ptr);
 	}
 
-	if (!zend_is_callable(*func, 0, &name)) {
+	/* there might be a stack resize while calling zend_is_callable */
+	func = *func_ptr;
+	params = *params_ptr;
+
+	if (!zend_is_callable(func, 0, &name)) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "First argument is expected to be a valid callback, '%s' was given", name);
 		efree(name);
 		RETURN_NULL();
 	}
 
-	func_params_ht = Z_ARRVAL_PP(params);
-
+	func_params_ht = Z_ARRVAL_P(params);
 	count = zend_hash_num_elements(func_params_ht);
 	if (count) {
 		func_params = safe_emalloc(sizeof(zval **), count, 0);
@@ -5214,7 +5217,7 @@
 		func_params = NULL;
 	}
 
-	if (call_user_function_ex(EG(function_table), NULL, *func, &retval_ptr, count, func_params, 0, NULL TSRMLS_CC) == SUCCESS) {
+	if (call_user_function_ex(EG(function_table), NULL, func, &retval_ptr, count, func_params, 0, NULL TSRMLS_CC) == SUCCESS) {
 		if (retval_ptr) {
 			COPY_PZVAL_TO_ZVAL(*return_value, retval_ptr);
 		}
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 13:01:28 2024 UTC