Skip to content

Commit 5e6846c

Browse files
nikicnikic
committed
Merge branch 'PHP-7.3' into PHP-7.4
2 parents 9d5db37 + 019fd1d commit 5e6846c

File tree

2 files changed

+46
-13
lines changed

2 files changed

+46
-13
lines changed

ext/standard/array.c

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -2493,35 +2493,33 @@ PHP_FUNCTION(extract)
24932493
break;
24942494
}
24952495
} else {
2496+
/* The array might be stored in a local variable that will be overwritten */
2497+
zval array_copy;
2498+
ZVAL_COPY(&array_copy, var_array_param);
24962499
switch (extract_type) {
24972500
case EXTR_IF_EXISTS:
2498-
count = php_extract_if_exists(Z_ARRVAL_P(var_array_param), symbol_table);
2501+
count = php_extract_if_exists(Z_ARRVAL(array_copy), symbol_table);
24992502
break;
25002503
case EXTR_OVERWRITE:
2501-
{
2502-
zval zv;
2503-
/* The array might be stored in a local variable that will be overwritten */
2504-
ZVAL_COPY(&zv, var_array_param);
2505-
count = php_extract_overwrite(Z_ARRVAL(zv), symbol_table);
2506-
zval_ptr_dtor(&zv);
2507-
}
2504+
count = php_extract_overwrite(Z_ARRVAL(array_copy), symbol_table);
25082505
break;
25092506
case EXTR_PREFIX_IF_EXISTS:
2510-
count = php_extract_prefix_if_exists(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2507+
count = php_extract_prefix_if_exists(Z_ARRVAL(array_copy), symbol_table, prefix);
25112508
break;
25122509
case EXTR_PREFIX_SAME:
2513-
count = php_extract_prefix_same(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2510+
count = php_extract_prefix_same(Z_ARRVAL(array_copy), symbol_table, prefix);
25142511
break;
25152512
case EXTR_PREFIX_ALL:
2516-
count = php_extract_prefix_all(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2513+
count = php_extract_prefix_all(Z_ARRVAL(array_copy), symbol_table, prefix);
25172514
break;
25182515
case EXTR_PREFIX_INVALID:
2519-
count = php_extract_prefix_invalid(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
2516+
count = php_extract_prefix_invalid(Z_ARRVAL(array_copy), symbol_table, prefix);
25202517
break;
25212518
default:
2522-
count = php_extract_skip(Z_ARRVAL_P(var_array_param), symbol_table);
2519+
count = php_extract_skip(Z_ARRVAL(array_copy), symbol_table);
25232520
break;
25242521
}
2522+
zval_ptr_dtor(&array_copy);
25252523
}
25262524

25272525
RETURN_LONG(count);

ext/standard/tests/array/bug77669.phpt

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
--TEST--
2+
Bug #77669: Crash in extract() when overwriting extracted array
3+
--FILE--
4+
<?php
5+
6+
function test($mode) {
7+
$foo = [];
8+
$foo["foo"] = 42;
9+
$foo["bar"] = 24;
10+
extract($foo, $mode, "");
11+
$prefix_foo = [];
12+
$prefix_foo["foo"] = 42;
13+
$prefix_foo["bar"] = 24;
14+
extract($prefix_foo, $mode, "prefix");
15+
}
16+
17+
test(EXTR_OVERWRITE);
18+
test(EXTR_SKIP);
19+
test(EXTR_IF_EXISTS);
20+
test(EXTR_PREFIX_SAME);
21+
test(EXTR_PREFIX_ALL);
22+
test(EXTR_PREFIX_INVALID);
23+
test(EXTR_PREFIX_IF_EXISTS);
24+
test(EXTR_REFS | EXTR_OVERWRITE);
25+
test(EXTR_REFS | EXTR_SKIP);
26+
test(EXTR_REFS | EXTR_IF_EXISTS);
27+
test(EXTR_REFS | EXTR_PREFIX_SAME);
28+
test(EXTR_REFS | EXTR_PREFIX_ALL);
29+
test(EXTR_REFS | EXTR_PREFIX_INVALID);
30+
test(EXTR_REFS | EXTR_PREFIX_IF_EXISTS);
31+
32+
?>
33+
===DONE===
34+
--EXPECT--
35+
===DONE===

0 commit comments

Comments
 (0)