Properly validate ArrayObject::asort() argument

Author: nikic

ext/spl/spl_array.c

@@ -55,8 +55,8 @@ PHPAPI zend_class_entry  *spl_ce_RecursiveArrayIterator;
 #define SPL_ARRAY_CLONE_MASK         0x0100FFFF
 
 #define SPL_ARRAY_METHOD_NO_ARG				0
-#define SPL_ARRAY_METHOD_USE_ARG    		1
-#define SPL_ARRAY_METHOD_MAY_USER_ARG 		2
+#define SPL_ARRAY_METHOD_CALLBACK_ARG  		1
+#define SPL_ARRAY_METHOD_SORT_FLAGS_ARG 	2
 
 typedef struct _spl_array_object {
 	zval              array;
@@ -1429,15 +1429,14 @@ static void spl_array_method(INTERNAL_FUNCTION_PARAMETERS, char *fname, int fnam
 		intern->nApplyCount++;
 		call_user_function(EG(function_table), NULL, &function_name, return_value, 1, params);
 		intern->nApplyCount--;
-	} else if (use_arg == SPL_ARRAY_METHOD_MAY_USER_ARG) {
-		if (zend_parse_parameters(ZEND_NUM_ARGS(), "|z", &arg) == FAILURE) {
+	} else if (use_arg == SPL_ARRAY_METHOD_SORT_FLAGS_ARG) {
+		zend_long sort_flags = 0;
+		if (zend_parse_parameters(ZEND_NUM_ARGS(), "|l", &sort_flags) == FAILURE) {
 			goto exit;
 		}
-		if (arg) {
-			ZVAL_COPY_VALUE(&params[1], arg);
-		}
+		ZVAL_LONG(&params[1], sort_flags);
 		intern->nApplyCount++;
-		call_user_function(EG(function_table), NULL, &function_name, return_value, arg ? 2 : 1, params);
+		call_user_function(EG(function_table), NULL, &function_name, return_value, 2, params);
 		intern->nApplyCount--;
 	} else {
 		if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &arg) == FAILURE) {
@@ -1468,16 +1467,16 @@ PHP_METHOD(cname, fname) \
 }
 
 /* {{{ Sort the entries by values. */
-SPL_ARRAY_METHOD(ArrayObject, asort, SPL_ARRAY_METHOD_MAY_USER_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, asort, SPL_ARRAY_METHOD_SORT_FLAGS_ARG) /* }}} */
 
 /* {{{ Sort the entries by key. */
-SPL_ARRAY_METHOD(ArrayObject, ksort, SPL_ARRAY_METHOD_MAY_USER_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, ksort, SPL_ARRAY_METHOD_SORT_FLAGS_ARG) /* }}} */
 
 /* {{{ Sort the entries by values user defined function. */
-SPL_ARRAY_METHOD(ArrayObject, uasort, SPL_ARRAY_METHOD_USE_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, uasort, SPL_ARRAY_METHOD_CALLBACK_ARG) /* }}} */
 
 /* {{{ Sort the entries by key using user defined function. */
-SPL_ARRAY_METHOD(ArrayObject, uksort, SPL_ARRAY_METHOD_USE_ARG) /* }}} */
+SPL_ARRAY_METHOD(ArrayObject, uksort, SPL_ARRAY_METHOD_CALLBACK_ARG) /* }}} */
 
 /* {{{ Sort the entries by values using "natural order" algorithm. */
 SPL_ARRAY_METHOD(ArrayObject, natsort, SPL_ARRAY_METHOD_NO_ARG) /* }}} */

ext/spl/tests/arrayObject_asort_basic1.phpt

@@ -36,7 +36,7 @@ object(ArrayObject)#%d (1) {
     int(4)
   }
 }
-asort(): Argument #2 ($flags) must be of type int, string given
+ArrayObject::asort(): Argument #1 ($flags) must be of type int, string given
 object(ArrayObject)#%d (1) {
   ["storage":"ArrayObject":private]=>
   array(3) {

ext/spl/tests/arrayObject_ksort_basic1.phpt

@@ -35,7 +35,7 @@ object(ArrayObject)#%d (1) {
     int(3)
   }
 }
-ksort(): Argument #2 ($flags) must be of type int, string given
+ArrayObject::ksort(): Argument #1 ($flags) must be of type int, string given
 object(ArrayObject)#2 (1) {
   ["storage":"ArrayObject":private]=>
   array(4) {