Fixed bug #39304 (Segmentation fault with list unpacking of string offset)

diff --git a/NEWS b/NEWS
index b6766f3cfb056e7c4521420b9dfebf450c7498de..69b542af25838faea6e3fc621c5974ab10c3eeea 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,8 +1,11 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 00 Oct 2006, PHP 5.2.0RC7
+- Fixed bug #39304 (Segmentation fault with list unpacking of string offset).
+  (Dmitry)
 - Fixed bug #39192 (Not including nsapi.h properly with SJSWS 7).
   This will make PHP 5.2 compatible to new Sun Webserver. (Uwe)
+
 19 Oct 2006, PHP 5.2.0RC6
 - Fixed invalid read in imagecreatefrompng when an empty file is given
   (Pierre, Tony)

diff --git a/Zend/tests/bug39304.phpt b/Zend/tests/bug39304.phpt
new file mode 100755 (executable)
index 0000000..9e4416c
--- /dev/null
+++ b/Zend/tests/bug39304.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #39304 (Segmentation fault with list unpacking of string offset)
+--FILE--
+<?php 
+  $s = "";
+  list($a, $b) = $s[0];
+?>
+--EXPECTF--
+Fatal error: Cannot use string offset as an array in %sbug39304.php on line 3

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index ef44ed108a1eb7a2d00b3b454150504a5e192f1a..ba3b74ae6e1a31a456c0af030da7723d0e758dee 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1041,7 +1041,9 @@ ZEND_VM_HANDLER(81, ZEND_FETCH_DIM_R, VAR|CV, CONST|TMP|VAR|CV)
        zend_free_op free_op1, free_op2;
        zval *dim = GET_OP2_ZVAL_PTR(BP_VAR_R);
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && OP1_TYPE != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           OP1_TYPE != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), GET_OP1_ZVAL_PTR_PTR(BP_VAR_R), dim, IS_OP2_TMP_FREE(), BP_VAR_R TSRMLS_CC);

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index f23e6ab835133d03b4444775c4cf637faa85b7ec..19ecb88300b5ec85b1322e81ae03c67c87b6c8c3 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -8855,7 +8855,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
        zend_free_op free_op1;
        zval *dim = &opline->op2.u.constant;
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -10338,7 +10340,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
        zend_free_op free_op1, free_op2;
        zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC);
@@ -11824,7 +11828,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
        zend_free_op free_op1, free_op2;
        zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -13782,7 +13788,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
        zend_free_op free_op1;
        zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_VAR != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -20749,7 +20757,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
        zval *dim = &opline->op2.u.constant;
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -22224,7 +22234,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
        zend_free_op free_op2;
        zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC);
@@ -23702,7 +23714,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
        zend_free_op free_op2;
        zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -25650,7 +25664,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
        zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
 
-       if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+       if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+           IS_CV != IS_CV &&
+           EX_T(opline->op1.u.var).var.ptr_ptr) {
                PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
        }
        zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);