Fixed bug #52237 (Crash when passing the reference of the property of a non-object)

diff --git a/Zend/tests/bug52237.phpt b/Zend/tests/bug52237.phpt
new file mode 100644 (file)
index 0000000..a466a8c
--- /dev/null
+++ b/Zend/tests/bug52237.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #52237 (Crash when passing the reference of the property of a non-object)
+--FILE--
+<?php
+$data = 'test';
+preg_match('//', '', $data->info);
+var_dump($data);
+?>
+--EXPECTF--
+Warning: Attempt to modify property of non-object in %sbug52237.php on line 3
+string(4) "test"

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index cd26f5e8e65a3fa0e81b87217f3acddce09ee20e..e3d68256c34c91a084783bc6c92beacf1b08eb60 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2693,9 +2693,16 @@ ZEND_VM_HANDLER(67, ZEND_SEND_REF, VAR|CV, ANY)
                zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
        }
 
-       if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
-               ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
-        }
+       if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+               Z_DELREF_PP(varptr_ptr);
+               ALLOC_ZVAL(*varptr_ptr);
+               INIT_ZVAL(**varptr_ptr);
+               Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+       }
+
+       if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+               ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
+       }
 
        SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
        varptr = *varptr_ptr;

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 45f5c62c2add30fe9be0b1ebe7eac4db6a03c9fd..76a785c4b446db91fd2805fa0fc7118affc7815c 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -8341,9 +8341,16 @@ static int ZEND_FASTCALL  ZEND_SEND_REF_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARG
                zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
        }
 
-       if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
-               return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
-        }
+       if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+               Z_DELREF_PP(varptr_ptr);
+               ALLOC_ZVAL(*varptr_ptr);
+               INIT_ZVAL(**varptr_ptr);
+               Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+       }
+
+       if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+               return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+       }
 
        SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
        varptr = *varptr_ptr;
@@ -22207,9 +22214,16 @@ static int ZEND_FASTCALL  ZEND_SEND_REF_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS
                zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
        }
 
-       if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
-               return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
-        }
+       if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+               Z_DELREF_PP(varptr_ptr);
+               ALLOC_ZVAL(*varptr_ptr);
+               INIT_ZVAL(**varptr_ptr);
+               Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+       }
+
+       if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+               return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+       }
 
        SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
        varptr = *varptr_ptr;