archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.1' into PHP-8.2

Browse source 
* PHP-8.1:
  Endless recursion when using + on array in foreach
This commit is contained in:
Ilija Tovilo 2023-05-01 13:21:32 +02:00
commit 50127cef92
No known key found for this signature in database
GPG key ID: A4F5D403F118200A
5 changed files with 21 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -22,8 +22,6 @@ PHP NEWS
. Fix inconsistent float negation in constant expressions. (ilutov) . Fix inconsistent float negation in constant expressions. (ilutov)
. Fixed bug GH-8841 (php-cli core dump calling a badly formed function). . Fixed bug GH-8841 (php-cli core dump calling a badly formed function).
(nielsdos) (nielsdos)
. Fixed bug GH-10085 (Assertion when adding two arrays with += where the first
array is contained in the second). (ilutov)
. Fixed bug GH-10737 (PHP 8.1.16 segfaults on line 597 of . Fixed bug GH-10737 (PHP 8.1.16 segfaults on line 597 of
sapi/apache2handler/sapi_apache2.c). (nielsdos, ElliotNB) sapi/apache2handler/sapi_apache2.c). (nielsdos, ElliotNB)
. Fixed bug GH-11028 (Heap Buffer Overflow in zval_undefined_cv.). (nielsdos) . Fixed bug GH-11028 (Heap Buffer Overflow in zval_undefined_cv.). (nielsdos)

22
Zend/tests/gh10085_1.phpt
View file

@ -1,22 +0,0 @@
--TEST--
GH-10085: Assertion in add_function_array()
--FILE--
<?php
$i = [[], 0];
$ref = &$i;
$i[0] += $ref;
var_dump($i);
?>
--EXPECT--
array(2) {
[0]=>
array(2) {
[0]=>
array(0) {
}
[1]=>
int(0)
}
[1]=>
int(0)
}

25
Zend/tests/gh10085_2.phpt
View file

@ -1,25 +0,0 @@
--TEST--
GH-10085: Assertion in add_function_array()
--FILE--
<?php
$tmp = [0];
unset($tmp[0]);
$i = [$tmp, 0];
unset($tmp);
$ref = &$i;
$i[0] += $ref;
var_dump($i);
?>
--EXPECT--
array(2) {
[0]=>
array(2) {
[0]=>
array(0) {
}
[1]=>
int(0)
}
[1]=>
int(0)
}

15
Zend/tests/gh11171.phpt Normal file
View file

@ -0,0 +1,15 @@
--TEST--
GH-11171: Test
--FILE--
<?php
$all = ['test'];
foreach ($all as &$item) {
$all += [$item];
}
var_dump($all);
?>
--EXPECT--
array(1) {
[0]=>
&string(4) "test"
}

18
Zend/zend_operators.c
View file

@ -1015,22 +1015,16 @@ static ZEND_COLD zend_never_inline void ZEND_FASTCALL zend_binop_error(const cha
static zend_never_inline void ZEND_FASTCALL add_function_array(zval *result, zval *op1, zval *op2) /* {{{ */ static zend_never_inline void ZEND_FASTCALL add_function_array(zval *result, zval *op1, zval *op2) /* {{{ */
{ {
if (result == op1 && Z_ARR_P(op1) == Z_ARR_P(op2)) {
/* $a += $a */
return;
}
if (result != op1) { if (result != op1) {
ZVAL_ARR(result, zend_array_dup(Z_ARR_P(op1))); ZVAL_ARR(result, zend_array_dup(Z_ARR_P(op1)));
zend_hash_merge(Z_ARRVAL_P(result), Z_ARRVAL_P(op2), zval_add_ref, 0);
} else if (Z_ARR_P(op1) == Z_ARR_P(op2)) {
/* $a += $a */
} else { } else {
/* We have to duplicate op1 (even with refcount == 1) because it may be an element of op2 SEPARATE_ARRAY(result);
* and therefore its reference counter may be increased by zend_hash_merge(). That leads to
* an assertion in _zend_hash_add_or_update_i() that only allows adding elements to hash
* tables with RC1. See GH-10085 and Zend/tests/gh10085*.phpt */
zval tmp;
ZVAL_ARR(&tmp, zend_array_dup(Z_ARR_P(op1)));
zend_hash_merge(Z_ARRVAL(tmp), Z_ARRVAL_P(op2), zval_add_ref, 0);
zval_ptr_dtor(result);
ZVAL_COPY_VALUE(result, &tmp);
} }
zend_hash_merge(Z_ARRVAL_P(result), Z_ARRVAL_P(op2), zval_add_ref, 0);
} }
/* }}} */ /* }}} */