Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference)

laruence · laruence · commit 7ccd5943924f · 2012-05-06T20:01:10.000+08:00
diff --git a/NEWS b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
     (Laruence)
 
 - Core:
+  . Fixed bug #61730 (Segfault from array_walk modifying an array passed by
+    reference). (Laruence)
   . Fixed missing bound check in iptcparse(). (chris at chiappa.net)
   . Fixed bug #61764 ('I' unpacks n as signed if n > 2^31-1 on LP64). (Gustavo)
   . Fixed bug #54197 ([PATH=] sections incompatibility with user_ini.filename
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -1052,7 +1052,6 @@ static int php_array_walk(HashTable *target_hash, zval *userdata, int recursive
 	char  *string_key;
 	uint   string_key_len;
 	ulong  num_key;
-	HashPosition pos;
 
 	/* Set up known arguments */
 	args[1] = &key;
@@ -1061,15 +1060,14 @@ static int php_array_walk(HashTable *target_hash, zval *userdata, int recursive
 		Z_ADDREF_P(userdata);
 	}
 
-	zend_hash_internal_pointer_reset_ex(target_hash, &pos);
-
 	BG(array_walk_fci).retval_ptr_ptr = &retval_ptr;
 	BG(array_walk_fci).param_count = userdata ? 3 : 2;
 	BG(array_walk_fci).params = args;
 	BG(array_walk_fci).no_separation = 0;
-
+	
 	/* Iterate through hash */
-	while (!EG(exception) && zend_hash_get_current_data_ex(target_hash, (void **)&args[0], &pos) == SUCCESS) {
+	zend_hash_internal_pointer_reset(target_hash);
+	while (!EG(exception) && zend_hash_get_current_data(target_hash, (void **)&args[0]) == SUCCESS) {
 		if (recursive && Z_TYPE_PP(args[0]) == IS_ARRAY) {
 			HashTable *thash;
 			zend_fcall_info orig_array_walk_fci;
@@ -1101,7 +1099,7 @@ static int php_array_walk(HashTable *target_hash, zval *userdata, int recursive
 			MAKE_STD_ZVAL(key);
 
 			/* Set up the key */
-			switch (zend_hash_get_current_key_ex(target_hash, &string_key, &string_key_len, &num_key, 0, &pos)) {
+			switch (zend_hash_get_current_key_ex(target_hash, &string_key, &string_key_len, &num_key, 0, NULL)) {
 				case HASH_KEY_IS_LONG:
 					Z_TYPE_P(key) = IS_LONG;
 					Z_LVAL_P(key) = num_key;
@@ -1129,7 +1127,7 @@ static int php_array_walk(HashTable *target_hash, zval *userdata, int recursive
 			zval_ptr_dtor(&key);
 			key = NULL;
 		}
-		zend_hash_move_forward_ex(target_hash, &pos);
+		zend_hash_move_forward(target_hash);
 	}
 
 	if (userdata) {
diff --git a/ext/standard/tests/bug61730.phpt b/ext/standard/tests/bug61730.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Bug #61730 (Segfault from array_walk modifying an array passed by reference)
+--FILE--
+<?php
+$myArray = array_fill(0, 10, 1);
+
+array_walk(
+    $myArray,
+    function($value, $key) use ($myArray)
+    {
+        reset($myArray);
+    }
+);
+
+array_walk(
+    $myArray,
+    function($value, $key) use (&$myArray)
+    {
+        var_dump($key);
+        unset($myArray[$key]);
+        unset($myArray[$key+1]);
+        unset($myArray[$key+2]);
+    }
+);
+
+
+
+print_r($myArray);
+--EXPECT--
+int(0)
+int(4)
+int(8)
+Array
+(
+    [3] => 1
+    [7] => 1
+)
