Fix use after free for variables with integer names

author Nikita Popov <nikic@php.net>

Sun, 4 Jan 2015 16:57:23 +0000 (17:57 +0100)

committer Nikita Popov <nikic@php.net>

Sun, 4 Jan 2015 16:57:23 +0000 (17:57 +0100)
author Nikita Popov <nikic@php.net>
Sun, 4 Jan 2015 16:57:23 +0000 (17:57 +0100)
committer Nikita Popov <nikic@php.net>
Sun, 4 Jan 2015 16:57:23 +0000 (17:57 +0100)
diff --git a/Zend/tests/variable_with_integer_name.phpt b/Zend/tests/variable_with_integer_name.phpt

new file mode 100644 (file)

index 0000000..c31d469
--- /dev/null
+++ b/Zend/tests/variable_with_integer_name.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Variable with integer name
+--FILE--
+<?php
+
+${10} = 42;
+var_dump(${10});
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c

index 7f525ae5fcfce7962c9a62f498731a4eb7b0ec64..334d733f2939277480dad3124486ea1af1d72a3b 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -1950,6 +1950,9 @@ static int zend_try_compile_cv(znode *result, zend_ast *ast) /* {{{ */
                 result->op_type = IS_CV;
                 result->u.op.var = lookup_cv(CG(active_op_array), name);
  
+               /* lookup_cv may be using another zend_string instance  */
+               name = CG(active_op_array)->vars[EX_VAR_TO_NUM(result->u.op.var)];
+
                 if (zend_string_equals_literal(name, "this")) {
                         CG(active_op_array)->this_var = result->u.op.var;
                 }
author	Nikita Popov <nikic@php.net>
	Sun, 4 Jan 2015 16:57:23 +0000 (17:57 +0100)
committer	Nikita Popov <nikic@php.net>
	Sun, 4 Jan 2015 16:57:23 +0000 (17:57 +0100)
Zend/tests/variable_with_integer_name.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_compile.c		patch \| blob \| history