Fixed bug #77669

NEWS

@@ -10,6 +10,8 @@ PHP                                                                        NEWS
 - Standard:
   . Fixed bug #77664 (Segmentation fault when using undefined constant in
     custom wrapper). (Laruence)
+  . Fixed bug #77669 (Crash in extract() when overwriting extracted array).
+    (Nikita)
 
 - MySQLi:
   . Fixed bug #77597 (mysqli_fetch_field hangs scripts). (Nikita)

ext/standard/array.c

@@ -2528,35 +2528,33 @@ PHP_FUNCTION(extract)
 				break;
 		}
 	} else {
+		/* The array might be stored in a local variable that will be overwritten */
+		zval array_copy;
+		ZVAL_COPY(&array_copy, var_array_param);
 		switch (extract_type) {
 			case EXTR_IF_EXISTS:
-				count = php_extract_if_exists(Z_ARRVAL_P(var_array_param), symbol_table);
+				count = php_extract_if_exists(Z_ARRVAL(array_copy), symbol_table);
 				break;
 			case EXTR_OVERWRITE:
-				{
+				count = php_extract_overwrite(Z_ARRVAL(array_copy), symbol_table);
-					zval zv;
-					/* The array might be stored in a local variable that will be overwritten */
-					ZVAL_COPY(&zv, var_array_param);
-					count = php_extract_overwrite(Z_ARRVAL(zv), symbol_table);
-					zval_ptr_dtor(&zv);
-				}
 				break;
 			case EXTR_PREFIX_IF_EXISTS:
-				count = php_extract_prefix_if_exists(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
+				count = php_extract_prefix_if_exists(Z_ARRVAL(array_copy), symbol_table, prefix);
 				break;
 			case EXTR_PREFIX_SAME:
-				count = php_extract_prefix_same(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
+				count = php_extract_prefix_same(Z_ARRVAL(array_copy), symbol_table, prefix);
 				break;
 			case EXTR_PREFIX_ALL:
-				count = php_extract_prefix_all(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
+				count = php_extract_prefix_all(Z_ARRVAL(array_copy), symbol_table, prefix);
 				break;
 			case EXTR_PREFIX_INVALID:
-				count = php_extract_prefix_invalid(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
+				count = php_extract_prefix_invalid(Z_ARRVAL(array_copy), symbol_table, prefix);
 				break;
 			default:
-				count = php_extract_skip(Z_ARRVAL_P(var_array_param), symbol_table);
+				count = php_extract_skip(Z_ARRVAL(array_copy), symbol_table);
 				break;
 		}
+		zval_ptr_dtor(&array_copy);
 	}
 
 	RETURN_LONG(count);

ext/standard/tests/array/bug77669.phpt

@@ -0,0 +1,35 @@
+--TEST--
+Bug #77669: Crash in extract() when overwriting extracted array
+--FILE--
+<?php
+
+function test($mode) {
+    $foo = [];
+    $foo["foo"] = 42;
+    $foo["bar"] = 24;
+    extract($foo, $mode, "");
+    $prefix_foo = [];
+    $prefix_foo["foo"] = 42;
+    $prefix_foo["bar"] = 24;
+    extract($prefix_foo, $mode, "prefix");
+}
+
+test(EXTR_OVERWRITE);
+test(EXTR_SKIP);
+test(EXTR_IF_EXISTS);
+test(EXTR_PREFIX_SAME);
+test(EXTR_PREFIX_ALL);
+test(EXTR_PREFIX_INVALID);
+test(EXTR_PREFIX_IF_EXISTS);
+test(EXTR_REFS | EXTR_OVERWRITE);
+test(EXTR_REFS | EXTR_SKIP);
+test(EXTR_REFS | EXTR_IF_EXISTS);
+test(EXTR_REFS | EXTR_PREFIX_SAME);
+test(EXTR_REFS | EXTR_PREFIX_ALL);
+test(EXTR_REFS | EXTR_PREFIX_INVALID);
+test(EXTR_REFS | EXTR_PREFIX_IF_EXISTS);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===