Fixed bug #39304 (Segmentation fault with list unpacking of string offset)

author Dmitry Stogov <dmitry@php.net>

Mon, 30 Oct 2006 11:04:47 +0000 (11:04 +0000)

committer Dmitry Stogov <dmitry@php.net>

Mon, 30 Oct 2006 11:04:47 +0000 (11:04 +0000)
author Dmitry Stogov <dmitry@php.net>
Mon, 30 Oct 2006 11:04:47 +0000 (11:04 +0000)
committer Dmitry Stogov <dmitry@php.net>
Mon, 30 Oct 2006 11:04:47 +0000 (11:04 +0000)
diff --git a/Zend/tests/bug39304.phpt b/Zend/tests/bug39304.phpt

new file mode 100755 (executable)

index 0000000..9e4416c
--- /dev/null
+++ b/Zend/tests/bug39304.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #39304 (Segmentation fault with list unpacking of string offset)
+--FILE--
+<?php 
+  $s = "";
+  list($a, $b) = $s[0];
+?>
+--EXPECTF--
+Fatal error: Cannot use string offset as an array in %sbug39304.php on line 3
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h

index fc398d7b695dc1293a7269e9d0d20745d1bdb380..30a3034de481d0d83387824b66fff6dd07c9db1e 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1055,7 +1055,9 @@ ZEND_VM_HANDLER(81, ZEND_FETCH_DIM_R, VAR|CV, CONST|TMP|VAR|CV)
         zend_free_op free_op1, free_op2;
         zval *dim = GET_OP2_ZVAL_PTR(BP_VAR_R);
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && OP1_TYPE != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           OP1_TYPE != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), GET_OP1_ZVAL_PTR_PTR(BP_VAR_R), dim, IS_OP2_TMP_FREE(), BP_VAR_R TSRMLS_CC);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

index d31a89159b20ad99772bf7193829ca2913d62c0f..fb986159692c44d9c83ab0e0ef660043d8478406 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -9030,7 +9030,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
         zend_free_op free_op1;
         zval *dim = &opline->op2.u.constant;
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -10567,7 +10569,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
         zend_free_op free_op1, free_op2;
         zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC);
@@ -12107,7 +12111,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
         zend_free_op free_op1, free_op2;
         zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -14120,7 +14126,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
         zend_free_op free_op1;
         zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -21416,7 +21424,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
  
         zval *dim = &opline->op2.u.constant;
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -22945,7 +22955,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
         zend_free_op free_op2;
         zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC);
@@ -24477,7 +24489,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
         zend_free_op free_op2;
         zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -26480,7 +26494,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
  
         zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
  
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
         }
         zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
author	Dmitry Stogov <dmitry@php.net>
	Mon, 30 Oct 2006 11:04:47 +0000 (11:04 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Mon, 30 Oct 2006 11:04:47 +0000 (11:04 +0000)
Zend/tests/bug39304.phpt	[new file with mode: 0755]	patch \| blob
Zend/zend_vm_def.h		patch \| blob \| history
Zend/zend_vm_execute.h		patch \| blob \| history