From 1cbd25ca15383394ffa9ee8601c5de4c0f2f90e1 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 1 Jun 2015 22:06:16 -0700 Subject: [PATCH] Fix bug #69737 - Segfault when SplMinHeap::compare produces fatal error --- NEWS | 4 ++++ ext/spl/spl_heap.c | 3 ++- ext/spl/tests/bug69737.phpt | 16 ++++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug69737.phpt diff --git a/NEWS b/NEWS index 0463d11dcbf..e83f8c7483e 100644 --- a/NEWS +++ b/NEWS @@ -41,6 +41,10 @@ . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name). (Christoph Michael Becker) +- SPL: + . Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error). + (Stas) + 14 May 2015, PHP 5.5.25 - Core: diff --git a/ext/spl/spl_heap.c b/ext/spl/spl_heap.c index 02833074fa0..fad237932b1 100644 --- a/ext/spl/spl_heap.c +++ b/ext/spl/spl_heap.c @@ -249,9 +249,10 @@ static void spl_ptr_heap_insert(spl_ptr_heap *heap, spl_ptr_heap_element elem, v heap->ctor(elem TSRMLS_CC); /* sifting up */ - for(i = heap->count++; i > 0 && heap->cmp(heap->elements[(i-1)/2], elem, cmp_userdata TSRMLS_CC) < 0; i = (i-1)/2) { + for(i = heap->count; i > 0 && heap->cmp(heap->elements[(i-1)/2], elem, cmp_userdata TSRMLS_CC) < 0; i = (i-1)/2) { heap->elements[i] = heap->elements[(i-1)/2]; } + heap->count++; if (EG(exception)) { /* exception thrown during comparison */ diff --git a/ext/spl/tests/bug69737.phpt b/ext/spl/tests/bug69737.phpt new file mode 100644 index 00000000000..d39ce3d4a82 --- /dev/null +++ b/ext/spl/tests/bug69737.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #69737 (Segfault when SplMinHeap::compare produces fatal error) +--FILE-- +insert(1); +$h->insert(6); +?> +===DONE=== +--EXPECTF-- +Fatal error: Call to undefined method SplMinHeap::notexist() in %s/bug69737.php on line %d