Fixed bug #39297 (Memory corryption because of indirect modification of overloaded array).

dstogov · dstogov · commit 41ae8de13666 · 2006-11-08T13:38:28.000Z
diff --git a/NEWS b/NEWS
@@ -30,6 +30,8 @@ PHP                                                                        NEWS
   an extension INI directive). (wharmby at uk dot ibm dot com, Dmitry)
 - Fixed bug #39320 (ZEND_HASH_APPLY_STOP causes deletion). (Marcus)
 - Fixed bug #39313 (spl_autoload triggers Fatal error). (Marcus)
+- Fixed bug #39297 (Memory corryption because of indirect modification
+  of overloaded array). (Dmitry)
 - Fixed bug #39265 (Fixed path handling inside mod_files.sh). 
   (michal dot taborsky at gmail dot com, Ilia)
 - Fixed bug #39215 (Inappropriate close of stdin/stdout/stderr). (Wez,Ilia)
diff --git a/Zend/tests/bug39297.phpt b/Zend/tests/bug39297.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Bug #39297 (Memory corryption because of indirect modification of overloaded array)
+--FILE--
+<?php
+function compareByRef(&$first, &$second) {
+    return $first === $second;
+}
+
+class MyTree implements ArrayAccess {
+    public $parent;
+    public $children = array();
+
+    public function offsetExists($offset) {
+    }
+
+    public function offsetUnset($offset) {
+    }
+
+    public function offsetSet($offset, $value) {
+    	echo "offsetSet()\n";
+        $cannonicalName = strtolower($offset);
+        $this->children[$cannonicalName] = $value;
+        $value->parent = $this;
+    }    
+    
+    public function offsetGet($offset) {
+    	echo "offsetGet()\n";
+        $cannonicalName = strtolower($offset);
+        return $this->children[$cannonicalName];
+    }
+
+}
+
+$id = 'Test';
+
+$root = new MyTree();
+$child = new MyTree();
+$root[$id] = $child;
+
+var_dump(compareByRef($root[$id], $child));
+?>
+--EXPECT--
+offsetSet()
+offsetGet()
+bool(true)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -469,6 +469,19 @@ zval *zend_std_read_dimension(zval *object, zval *offset, int type TSRMLS_DC)
 		/* Undo PZVAL_LOCK() */
 		retval->refcount--;
 
+		if ((type == BP_VAR_W || type == BP_VAR_RW  || type == BP_VAR_UNSET) && retval->refcount > 0) {
+			zval *tmp = retval;
+
+			ALLOC_ZVAL(retval);
+			*retval = *tmp;
+			zval_copy_ctor(retval);
+			retval->is_ref = 0;
+			retval->refcount = 0;
+			if (Z_TYPE_P(retval) != IS_OBJECT) {
+				zend_error(E_NOTICE, "Indirect modification of overloaded element of %s has no effect", ce->name);
+			}
+		}
+
 		return retval;
 	} else {
 		zend_error(E_ERROR, "Cannot use object of type %s as array", ce->name);
