Skip to content

Commit 9ad9cc7

Browse files
nikicnikic
committed
Fixed bug #77669
1 parent af37d58 commit 9ad9cc7

File tree

3 files changed

+48
-13
lines changed

3 files changed

+48
-13
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ PHP NEWS
1010
- Standard:
1111
. Fixed bug #77664 (Segmentation fault when using undefined constant in
1212
custom wrapper). (Laruence)
13+
. Fixed bug #77669 (Crash in extract() when overwriting extracted array).
14+
(Nikita)
1315

1416
- MySQLi:
1517
. Fixed bug #77597 (mysqli_fetch_field hangs scripts). (Nikita)

ext/standard/array.c

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -2528,35 +2528,33 @@ PHP_FUNCTION(extract)
25282528
break;
25292529
}
25302530
} else {
2531+
/* The array might be stored in a local variable that will be overwritten */
2532+
zval array_copy;
2533+
ZVAL_COPY(&array_copy, var_array_param);
25312534
switch (extract_type) {
25322535
case EXTR_IF_EXISTS:
2533-
count = php_extract_if_exists(Z_ARRVAL_P(var_array_param), symbol_table);
2536+
count = php_extract_if_exists(Z_ARRVAL(array_copy), symbol_table);
25342537
break;
25352538
case EXTR_OVERWRITE:
2536-
{
2537-
zval zv;
2538-
/* The array might be stored in a local variable that will be overwritten */
2539-
ZVAL_COPY(&zv, var_array_param);
2540-
count = php_extract_overwrite(Z_ARRVAL(zv), symbol_table);
2541-
zval_ptr_dtor(&zv);
2542-
}
2539+
count = php_extract_overwrite(Z_ARRVAL(array_copy), symbol_table);
25432540
break;
25442541
case EXTR_PREFIX_IF_EXISTS:
2545-
count = php_extract_prefix_if_exists(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2542+
count = php_extract_prefix_if_exists(Z_ARRVAL(array_copy), symbol_table, prefix);
25462543
break;
25472544
case EXTR_PREFIX_SAME:
2548-
count = php_extract_prefix_same(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2545+
count = php_extract_prefix_same(Z_ARRVAL(array_copy), symbol_table, prefix);
25492546
break;
25502547
case EXTR_PREFIX_ALL:
2551-
count = php_extract_prefix_all(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2548+
count = php_extract_prefix_all(Z_ARRVAL(array_copy), symbol_table, prefix);
25522549
break;
25532550
case EXTR_PREFIX_INVALID:
2554-
count = php_extract_prefix_invalid(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2551+
count = php_extract_prefix_invalid(Z_ARRVAL(array_copy), symbol_table, prefix);
25552552
break;
25562553
default:
2557-
count = php_extract_skip(Z_ARRVAL_P(var_array_param), symbol_table);
2554+
count = php_extract_skip(Z_ARRVAL(array_copy), symbol_table);
25582555
break;
25592556
}
2557+
zval_ptr_dtor(&array_copy);
25602558
}
25612559

25622560
RETURN_LONG(count);

ext/standard/tests/array/bug77669.phpt

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
--TEST--
2+
Bug #77669: Crash in extract() when overwriting extracted array
3+
--FILE--
4+
<?php
5+
6+
function test($mode) {
7+
$foo = [];
8+
$foo["foo"] = 42;
9+
$foo["bar"] = 24;
10+
extract($foo, $mode, "");
11+
$prefix_foo = [];
12+
$prefix_foo["foo"] = 42;
13+
$prefix_foo["bar"] = 24;
14+
extract($prefix_foo, $mode, "prefix");
15+
}
16+
17+
test(EXTR_OVERWRITE);
18+
test(EXTR_SKIP);
19+
test(EXTR_IF_EXISTS);
20+
test(EXTR_PREFIX_SAME);
21+
test(EXTR_PREFIX_ALL);
22+
test(EXTR_PREFIX_INVALID);
23+
test(EXTR_PREFIX_IF_EXISTS);
24+
test(EXTR_REFS | EXTR_OVERWRITE);
25+
test(EXTR_REFS | EXTR_SKIP);
26+
test(EXTR_REFS | EXTR_IF_EXISTS);
27+
test(EXTR_REFS | EXTR_PREFIX_SAME);
28+
test(EXTR_REFS | EXTR_PREFIX_ALL);
29+
test(EXTR_REFS | EXTR_PREFIX_INVALID);
30+
test(EXTR_REFS | EXTR_PREFIX_IF_EXISTS);
31+
32+
?>
33+
===DONE===
34+
--EXPECT--
35+
===DONE===

0 commit comments

Comments
 (0)