Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)

diff --git a/NEWS b/NEWS
index ac4ba7cc541a485b630039b57abd57166ce0aabb..77041ed089e9271e1311445fee82dbd6cf9ed50c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 25 Jun 2015, PHP 7.0.0 Alpha 2
 
 - Core:
+  . Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name).
+    (Laruence)
   . Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation
     fault). (Christoph M. Becker)
   . Fixed bug #69781 (phpinfo() reports Professional Editions of Windows

diff --git a/Zend/tests/bug69805.phpt b/Zend/tests/bug69805.phpt
new file mode 100644 (file)
index 0000000..c3ca62d
--- /dev/null
+++ b/Zend/tests/bug69805.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)
+--FILE--
+<?php
+class p{public function c(){(0)::t;}}?>
+?>
+--EXPECTF--
+Fatal error: Illegal class name in %sbug69805.php on line %d

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 9be3748ef45bac0bad1ff598a012811aa07e12a5..902d37c5038910956ece0b3883be1131f939ef57 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -855,8 +855,11 @@ zend_string *zend_resolve_class_name(zend_string *name, uint32_t type) /* {{{ */
 
 zend_string *zend_resolve_class_name_ast(zend_ast *ast) /* {{{ */
 {
-       zend_string *name = zend_ast_get_str(ast);
-       return zend_resolve_class_name(name, ast->attr);
+       zval *class_name = zend_ast_get_zval(ast);
+       if (Z_TYPE_P(class_name) != IS_STRING) {
+               zend_error_noreturn(E_COMPILE_ERROR, "Illegal class name");
+       }
+       return zend_resolve_class_name(Z_STR_P(class_name), ast->attr);
 }
 /* }}} */