Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)

laruence · laruence · commit c15b6134f612 · 2016-05-05T15:18:17.000+08:00
diff --git a/NEWS b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
   . Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight
     columns). (Tian Yang)
 
+- PCNTL:
+  . Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure
+    overwrite). (Laruence)
+
 - Opcache:
   . Fixed bug #72014 (Including a file with anonymous classes multiple times
     leads to fatal error). (Laruence)
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
@@ -624,12 +624,11 @@ PHP_FUNCTION(pcntl_waitpid)
 	struct rusage rusage;
 #endif
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE)
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "lz/|lz/", &pid, &z_status, &options, &z_rusage) == FAILURE) {
 		return;
+	}
 
-	convert_to_long_ex(z_status);
-
-	status = Z_LVAL_P(z_status);
+	status = zval_get_long(z_status);
 
 #ifdef HAVE_WAIT4
 	if (z_rusage) {
@@ -659,7 +658,8 @@ PHP_FUNCTION(pcntl_waitpid)
 	}
 #endif
 
-	Z_LVAL_P(z_status) = status;
+	zval_dtor(z_status);
+	ZVAL_LONG(z_status, status);
 
 	RETURN_LONG((zend_long) child_id);
 }
@@ -677,12 +677,11 @@ PHP_FUNCTION(pcntl_wait)
 	struct rusage rusage;
 #endif
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE)
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "z/|lz/", &z_status, &options, &z_rusage) == FAILURE) {
 		return;
+	}
 
-	convert_to_long_ex(z_status);
-
-	status = Z_LVAL_P(z_status);
+	status = zval_get_long(z_status);
 #ifdef HAVE_WAIT3
 	if (z_rusage) {
 		if (Z_TYPE_P(z_rusage) != IS_ARRAY) {
@@ -711,7 +710,9 @@ PHP_FUNCTION(pcntl_wait)
 		PHP_RUSAGE_TO_ARRAY(rusage, z_rusage);
 	}
 #endif
-	Z_LVAL_P(z_status) = status;
+
+	zval_dtor(z_status);
+	ZVAL_LONG(z_status, status);
 
 	RETURN_LONG((zend_long) child_id);
 }
diff --git a/ext/pcntl/tests/bug72154.phpt b/ext/pcntl/tests/bug72154.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
+--SKIPIF--
+<?php if (!extension_loaded("pcntl")) print "skip"; ?>
+--FILE--
+<?php
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_wait($b,0,$c);
+unset($b);
+
+$b = 666;
+var_dump($b);
+$c = &$b;
+$var5 = pcntl_waitpid(0,$b,0,$c);
+unset($b);
+?>
+--EXPECT--
+int(666)
+int(666)
