Fixed bug #74157 (Segfault with nested generators)

diff --git a/NEWS b/NEWS
index e5b94aa9b4b48ae5c401ad19bd2e97d2d056ce2e..63b7c180a2080e9aa76e56a7ed2f3a87e2b91cca 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2017, PHP 7.1.3
 
 - Core:
+  . Fixed bug #74157 (Segfault with nested generators). (Laruence)
   . Fixed bug #74164 (PHP hangs when an invalid value is dynamically passed to
     typehinted by-ref arg). (Laruence)
   . Fixed bug #74093 (Maximum execution time of n+2 seconds exceed not written

diff --git a/Zend/tests/generators/bug74157.phpt b/Zend/tests/generators/bug74157.phpt
new file mode 100644 (file)
index 0000000..d5f0233
--- /dev/null
+++ b/Zend/tests/generators/bug74157.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #74157 (Segfault with nested generators)
+--FILE--
+<?php
+
+function a() {
+       $a = $b = $c = 2;
+       foreach(range(1, 5) as $v) {
+               yield $v;
+       }
+       return;
+}
+
+foreach (a(range(1, 3)) as $a) {
+       var_dump($a);
+}
+?>
+--EXPECTF--
+int(1)
+int(2)
+int(3)
+int(4)
+int(5)

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 80b06ff25a2395305cc9704e915b91119c2f6b53..00b1301948f9c7103cdbd9ad4839523faf492932 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -4093,7 +4093,7 @@ ZEND_VM_HANDLER(41, ZEND_GENERATOR_CREATE, ANY, ANY)
                 * is allocated on heap.
                 */
                num_args = EX_NUM_ARGS();
-               if (EXPECTED(num_args <= EX(func)->op_array.last_var)) {
+               if (EXPECTED(num_args <= EX(func)->op_array.num_args)) {
                        used_stack = (ZEND_CALL_FRAME_SLOT + EX(func)->op_array.last_var + EX(func)->op_array.T) * sizeof(zval);
                        gen_execute_data = (zend_execute_data*)emalloc(used_stack);
                        used_stack = (ZEND_CALL_FRAME_SLOT + EX(func)->op_array.last_var) * sizeof(zval);

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 04f33ca12c63af731b07f6bdb4a0ba98c896e433..67107897f9bb753f9edabc3b16c47d8b58c53f39 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1179,7 +1179,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_GENERATOR_CREATE_SPEC_HANDLER(
                 * is allocated on heap.
                 */
                num_args = EX_NUM_ARGS();
-               if (EXPECTED(num_args <= EX(func)->op_array.last_var)) {
+               if (EXPECTED(num_args <= EX(func)->op_array.num_args)) {
                        used_stack = (ZEND_CALL_FRAME_SLOT + EX(func)->op_array.last_var + EX(func)->op_array.T) * sizeof(zval);
                        gen_execute_data = (zend_execute_data*)emalloc(used_stack);
                        used_stack = (ZEND_CALL_FRAME_SLOT + EX(func)->op_array.last_var) * sizeof(zval);