Fixed bug #61453.

cataphract · cataphract · commit 0f001703a898 · 2012-03-21T12:42:09.000Z
The "hash" function used strncpy on data that would have NUL bytes, ending the
copy prematurely and causing collisions between objects.
diff --git a/NEWS b/NEWS
@@ -96,6 +96,8 @@ PHP                                                                        NEWS
     ReflectionMethod::invokeArgs()). (Laruence)
 
 - SPL:
+  . Fixed bug #61453 (SplObjectStorage does not identify objects correctly).
+    (Gustavo)
   . Fixed bug #61347 (inconsistent isset behavior of Arrayobject). (Laruence)
 
 - Standard:
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
@@ -146,14 +146,14 @@ static char *spl_object_storage_get_hash(spl_SplObjectStorage *intern, zval *thi
 
 		return (char*)&Z_OBJVAL_P(obj);
 #else
-		char *hash = emalloc((hash_len+1)*sizeof(char));
+		char *hash = emalloc(hash_len + 1);
 
 		zend_object_value zvalue;
 		memset(&zvalue, 0, sizeof(zend_object_value));
 		zvalue.handle = Z_OBJ_HANDLE_P(obj);
 		zvalue.handlers = Z_OBJ_HT_P(obj);
 
-		strncpy(hash, (char *)&zvalue, hash_len);
+		memcpy(hash, (char *)&zvalue, hash_len);
 		hash[hash_len] = 0;
 
 		if (hash_len_ptr) {
diff --git a/ext/spl/tests/bug61453.phpt b/ext/spl/tests/bug61453.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #61453:	SplObjectStorage does not identify objects correctly
+--FILE--
+<?php
+$limit = 1000;
+$objects = new SplObjectStorage;
+for($i = 0; $i < $limit; $i++){
+	$object = new StdClass;
+
+	if(isset($objects[$object])){
+		die("this should never happen, but did after $i iteration");
+	}
+
+	$objects[$object] = 1;
+}
+?>
+==DONE==
+--EXPECT--
+==DONE==
