Fixed bug #77395 (segfault about array_multisort)

laruence · laruence · commit 8ebae84674c7 · 2019-01-02T12:09:47.000+08:00
diff --git a/NEWS b/NEWS
@@ -9,6 +9,9 @@ PHP                                                                        NEWS
   . Fixed bug #76839 (socket_recvfrom may return an invalid 'from' address
     on MacOS). (Michael Meyer)
 
+- Standard:
+  . Fixed bug #77395 (segfault about array_multisort). (Laruence)
+
 03 Jan 2019, PHP 7.2.14
 
 - Core:
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -5555,7 +5555,7 @@ PHPAPI int php_multisort_compare(const void *a, const void *b) /* {{{ */
 /* }}} */
 
 #define MULTISORT_ABORT				\
-	efree(ARRAYG(multisort_func));	\
+	efree(func);	\
 	efree(arrays);					\
 	RETURN_FALSE;
 
@@ -5587,6 +5587,7 @@ PHP_FUNCTION(array_multisort)
 	int				sort_order = PHP_SORT_ASC;
 	int				sort_type  = PHP_SORT_REGULAR;
 	int				i, k, n;
+	compare_func_t  *func;
 
 	ZEND_PARSE_PARAMETERS_START(1, -1)
 		Z_PARAM_VARIADIC('+', args, argc)
@@ -5597,7 +5598,7 @@ PHP_FUNCTION(array_multisort)
 	for (i = 0; i < MULTISORT_LAST; i++) {
 		parse_state[i] = 0;
 	}
-	ARRAYG(multisort_func) = (compare_func_t*)ecalloc(argc, sizeof(compare_func_t));
+	func = ARRAYG(multisort_func) = (compare_func_t*)ecalloc(argc, sizeof(compare_func_t));
 
 	/* Here we go through the input arguments and parse them. Each one can
 	 * be either an array or a sort flag which follows an array. If not
@@ -5681,7 +5682,7 @@ PHP_FUNCTION(array_multisort)
 
 	/* If all arrays are empty we don't need to do anything. */
 	if (array_size < 1) {
-		efree(ARRAYG(multisort_func));
+		efree(func);
 		efree(arrays);
 		RETURN_TRUE;
 	}
@@ -5740,7 +5741,7 @@ PHP_FUNCTION(array_multisort)
 		efree(indirect[i]);
 	}
 	efree(indirect);
-	efree(ARRAYG(multisort_func));
+	efree(func);
 	efree(arrays);
 	RETURN_TRUE;
 }
diff --git a/ext/standard/tests/array/bug77395.phpt b/ext/standard/tests/array/bug77395.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #77395 (segfault about array_multisort)
+--FILE--
+<?php
+function error_handle($level, $message, $file = '', $line = 0){
+	$a = [1,2,3];
+	$b = [3,2,1];
+	echo $message;
+	array_multisort($a, SORT_ASC, $b); // if comment this line, no segfault happen
+}
+set_error_handler('error_handle');
+$data = [['aa'=> 'bb',], ['aa'=> 'bb',],];
+array_multisort(array_column($data, 'bb'),SORT_DESC, $data); // PHP Warning error 
+?>
+--EXPECT--
+array_multisort(): Array sizes are inconsistent
