PHPC-1839 Fix accessing referenced strings (#1223)

alcaeus · web-flow · commit c68cdcda7654 · 2021-06-16T08:16:58.000+02:00
* PHPC-1839 Fix accessing referenced non-interned strings * Use ZVAL_DEREF * Update tests to not require a live server * Use correct case for method names
diff --git a/src/contrib/php_array_api.h b/src/contrib/php_array_api.h
@@ -281,8 +281,12 @@ PHP_ARRAY_FETCH_TYPE_MAP(zend_bool, bool)
  */
 static inline
 PAA_LONG php_array_zval_to_long(zval *z) {
+try_again:
 	if (!z) { return 0; }
 	switch(Z_TYPE_P(z)) {
+		case IS_REFERENCE:
+			ZVAL_DEREF(z);
+			goto try_again;
 		case IS_NULL: return 0;
 #ifdef ZEND_ENGINE_3
 		case IS_FALSE: return 0;
@@ -315,8 +319,12 @@ PHP_ARRAY_FETCH_TYPE_MAP(PAA_LONG, long)
  */
 static inline
 double php_array_zval_to_double(zval *z) {
+try_again:
 	if (!z) { return 0.0; }
 	switch (Z_TYPE_P(z)) {
+		case IS_REFERENCE:
+			ZVAL_DEREF(z);
+			goto try_again;
 		case IS_NULL: return 0.0;
 #ifdef ZEND_ENGINE_3
 		case IS_FALSE: return 0.0;
@@ -357,10 +365,14 @@ static inline
 char *php_array_zval_to_string(zval *z, int *plen, zend_bool *pfree) {
 	*plen = 0;
 	*pfree = 0;
+try_again:
 	if (!z) { return NULL; }
 	switch (Z_TYPE_P(z)) {
 		case IS_NULL:
 			return (char *)"";
+		case IS_REFERENCE:
+			ZVAL_DEREF(z);
+			goto try_again;
 		case IS_STRING:
 			*plen = Z_STRLEN_P(z);
 			return Z_STRVAL_P(z);
diff --git a/tests/bson/bug1839-001.phpt b/tests/bson/bug1839-001.phpt
@@ -0,0 +1,48 @@
+--TEST--
+PHPC-1839: Referenced, out-of-scope, non-interned string in typeMap
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+function createTypemap()
+{
+    // Assemble the string so as to not have an interned string
+    $rootValue = chr(ord('a')) . 'rray';
+    $documentValue = chr(ord('a')) . 'rray';
+
+    // Use a reference to this non-interned string in the type map
+    $typemap = ['root' => &$rootValue, 'document' => &$documentValue];
+
+    return $typemap;
+}
+
+$typemap = createTypemap();
+$bson    = MongoDB\BSON\fromPhp((object) []);
+
+echo "Before:\n";
+debug_zval_dump($typemap);
+
+MongoDB\BSON\toPHP($bson, $typemap);
+
+echo "After:\n";
+debug_zval_dump($typemap);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+Before:
+array(2) refcount(2){
+  ["root"]=>
+  string(5) "array" refcount(1)
+  ["document"]=>
+  string(5) "array" refcount(1)
+}
+After:
+array(2) refcount(2){
+  ["root"]=>
+  string(5) "array" refcount(1)
+  ["document"]=>
+  string(5) "array" refcount(1)
+}
+===DONE===
diff --git a/tests/bson/bug1839-002.phpt b/tests/bson/bug1839-002.phpt
@@ -0,0 +1,40 @@
+--TEST--
+PHPC-1839: Referenced, local, non-interned string in typeMap
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+// Assemble the string so as to not have an interned string
+$rootValue = chr(ord('a')) . 'rray';
+$documentValue = chr(ord('a')) . 'rray';
+
+$typemap = ['root' => &$rootValue, 'document' => &$documentValue];
+$bson    = MongoDB\BSON\fromPhp((object) []);
+
+echo "Before:\n";
+debug_zval_dump($typemap);
+
+MongoDB\BSON\toPHP($bson, $typemap);
+
+echo "After:\n";
+debug_zval_dump($typemap);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+Before:
+array(2) refcount(2){
+  ["root"]=>
+  &string(5) "array" refcount(1)
+  ["document"]=>
+  &string(5) "array" refcount(1)
+}
+After:
+array(2) refcount(2){
+  ["root"]=>
+  &string(5) "array" refcount(1)
+  ["document"]=>
+  &string(5) "array" refcount(1)
+}
+===DONE===
diff --git a/tests/bson/bug1839-003.phpt b/tests/bson/bug1839-003.phpt
@@ -0,0 +1,46 @@
+--TEST--
+PHPC-1839: Referenced, out-of-scope, interned string in typeMap
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+function createTypemap()
+{
+    $rootValue = 'array';
+    $documentValue = 'array';
+
+    $typemap = ['root' => &$rootValue, 'document' => &$documentValue];
+
+    return $typemap;
+}
+
+$typemap = createTypemap();
+$bson    = MongoDB\BSON\fromPhp((object) []);
+
+echo "Before:\n";
+debug_zval_dump($typemap);
+
+MongoDB\BSON\toPHP($bson, $typemap);
+
+echo "After:\n";
+debug_zval_dump($typemap);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+Before:
+array(2) refcount(2){
+  ["root"]=>
+  string(5) "array" refcount(1)
+  ["document"]=>
+  string(5) "array" refcount(1)
+}
+After:
+array(2) refcount(2){
+  ["root"]=>
+  string(5) "array" refcount(1)
+  ["document"]=>
+  string(5) "array" refcount(1)
+}
+===DONE===
diff --git a/tests/bson/bug1839-004.phpt b/tests/bson/bug1839-004.phpt
@@ -0,0 +1,39 @@
+--TEST--
+PHPC-1839: Referenced, local, interned string in typeMap
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$rootValue = 'array';
+$documentValue = 'array';
+
+$typemap = ['root' => &$rootValue, 'document' => &$documentValue];
+$bson    = MongoDB\BSON\fromPhp((object) []);
+
+echo "Before:\n";
+debug_zval_dump($typemap);
+
+MongoDB\BSON\toPHP($bson, $typemap);
+
+echo "After:\n";
+debug_zval_dump($typemap);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+Before:
+array(2) refcount(2){
+  ["root"]=>
+  &string(5) "array" refcount(1)
+  ["document"]=>
+  &string(5) "array" refcount(1)
+}
+After:
+array(2) refcount(2){
+  ["root"]=>
+  &string(5) "array" refcount(1)
+  ["document"]=>
+  &string(5) "array" refcount(1)
+}
+===DONE===
