Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION)
authorXinchen Hui <laruence@php.net>
Fri, 24 Jul 2015 07:49:01 +0000 (15:49 +0800)
committerXinchen Hui <laruence@php.net>
Fri, 24 Jul 2015 07:49:36 +0000 (15:49 +0800)
NEWS
Zend/tests/bug70124.phpt [new file with mode: 0644]
Zend/zend_execute.c

diff --git a/NEWS b/NEWS
index 8f5781375ee1ee230cd5149da407bfd0cf164360..66441f745b83fc761e42f30f173e91c4532b5bbf 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 06 Aug 2015, PHP 7.0.0 Beta 3
 
 - Core:
+  . Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION).
+    (Laruence)
   . Fixed bug #70117 (Unexpected return type error). (Laruence)
   . Fixed bug #70106 (Inheritance by anonymous class). (Bob)
 
diff --git a/Zend/tests/bug70124.phpt b/Zend/tests/bug70124.phpt
new file mode 100644 (file)
index 0000000..3138430
--- /dev/null
@@ -0,0 +1,47 @@
+--TEST--
+Bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER)
+--FILE--
+<?php 
+
+try  {
+       echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),$f("test"))],chr(48));
+} catch (Error $e) {
+       var_dump($e->getMessage());
+}
+
+class A {
+}
+
+try  {
+       echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),a::y("test"))],chr(48));
+} catch (Error $e) {
+       var_dump($e->getMessage());
+}
+
+$a = new A;
+
+try  {
+       echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),$a->y("test"))],chr(48));
+} catch (Error $e) {
+       var_dump($e->getMessage());
+}
+
+try  {
+       echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),\bar\y("test"))],chr(48));
+} catch (Error $e) {
+       var_dump($e->getMessage());
+}
+
+try  {
+       echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),y("test"))],chr(48));
+} catch (Error $e) {
+       var_dump($e->getMessage());
+}
+?>
+--EXPECTF--
+Notice: Undefined variable: f in %sbug70124.php on line %d
+string(30) "Function name must be a string"
+string(31) "Call to undefined method A::y()"
+string(31) "Call to undefined method A::y()"
+string(34) "Call to undefined function bar\y()"
+string(30) "Call to undefined function y()"
index 2d1bd5e3d0875dff86e63a8083775049aadf4f9a..065809f1a63df2107149bfeb4c096f49a419ce38 100644 (file)
@@ -2395,6 +2395,15 @@ static zend_always_inline void i_cleanup_unfinished_execution(zend_execute_data
                zend_op *opline = EX(func)->op_array.opcodes + op_num;
                int level;
                int do_exit;
+               
+               if (UNEXPECTED(opline->opcode == ZEND_INIT_FCALL ||
+                       opline->opcode == ZEND_INIT_FCALL_BY_NAME ||
+                       opline->opcode == ZEND_INIT_DYNAMIC_CALL ||
+                       opline->opcode == ZEND_INIT_METHOD_CALL ||
+                       opline->opcode == ZEND_INIT_STATIC_METHOD_CALL)) {
+                       ZEND_ASSERT(op_num);
+                       opline--;
+               }
 
                do {
                        /* If the exception was thrown during a function call there might be