Merge branch 'PHP-7.0'

laruence · laruence · commit 8e14632b2cad · 2015-12-07T10:58:36.000+08:00
diff --git a/ext/intl/collator/collator_sort.c b/ext/intl/collator/collator_sort.c
@@ -363,6 +363,7 @@ static void collator_sortkey_swap(collator_sort_key_index_t *p, collator_sort_ke
 PHP_FUNCTION( collator_sort_with_sort_keys )
 {
 	zval*       array                = NULL;
+	zval        garbage;
 	HashTable*  hash                 = NULL;
 	zval*       hashData             = NULL;                     /* currently processed item of input hash */
 
@@ -505,7 +506,7 @@ PHP_FUNCTION( collator_sort_with_sort_keys )
 	zend_sort( sortKeyIndxBuf, sortKeyCount,
 			sortKeyIndxSize, collator_cmp_sort_keys, (swap_func_t)collator_sortkey_swap);
 
-	zval_ptr_dtor( array );
+	ZVAL_COPY_VALUE(&garbage, array);
 	/* for resulting hash we'll assign new hash keys rather then reordering */
 	array_init(array);
 
@@ -518,6 +519,7 @@ PHP_FUNCTION( collator_sort_with_sort_keys )
 	if( utf16_buf )
 		efree( utf16_buf );
 
+	zval_ptr_dtor(&garbage);
 	efree( sortKeyIndxBuf );
 	efree( sortKeyBuf );
 
diff --git a/ext/intl/tests/bug71020.phpt b/ext/intl/tests/bug71020.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #71020 (Use after free in Collator::sortWithSortKeys)
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+ 
+$var_3=new Collator("Whatever");
+for($x=0;$x<0xbb;$x++)
+	$myarray[substr(md5(microtime()),rand(0,26),9) . strval($x)]= substr(md5(microtime()),rand(0,26),9) . strval($x);
+$var_3->sortWithSortKeys($myarray);
+?>
+okey
+--EXPECT--
+okey
