Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HA...

diff --git a/Zend/tests/bug69905.phpt b/Zend/tests/bug69905.phpt
new file mode 100644 (file)
index 0000000..fb25341
--- /dev/null
+++ b/Zend/tests/bug69905.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)
+--FILE--
+<?php
+md5(0)[]--;
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: [] operator not supported for strings in %sbug69905.php:2
+Stack trace:
+#0 {main}
+  thrown in %sbug69905.php on line 2

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 246372fee2dae569ac6075f3f9cd808336470fd6..8fc40245c95025d741c0f286f9b676ea6276b680 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1682,11 +1682,11 @@ convert_to_array:
 
                if (dim == NULL) {
                        zend_error(E_EXCEPTION | E_ERROR, "[] operator not supported for strings");
+                       ZVAL_NULL(result);
                } else {
                        zend_check_string_offset(dim, type);
+                       ZVAL_INDIRECT(result, NULL); /* wrong string offset */
                }
-
-               ZVAL_INDIRECT(result, NULL); /* wrong string offset */
        } else if (EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                if (!Z_OBJ_HT_P(container)->read_dimension) {
                        zend_error(E_EXCEPTION | E_ERROR, "Cannot use object as array");