Fixed bug #69732 (can induce segmentation fault with basic php code).

diff --git a/NEWS b/NEWS
index 9e455df7c17498e9963694d9cd433c70c0782620..0463d11dcbf86ca4b151af9c3648dbce486adbaf 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@
     (Christoph M. Becker)
   . Fixed bug #69703 (Use __builtin_clzl on PowerPC).
     (dja at axtens dot net, Kalle)
+  . Fixed bug #69732 (can induce segmentation fault with basic php code).
+    (Dmitry)
 
 - GD:
   . Fixed bug #69479 (GD fails to build with newer libvpx). (Remi)

diff --git a/Zend/tests/bug69732.phpt b/Zend/tests/bug69732.phpt
new file mode 100644 (file)
index 0000000..2ea5e58
--- /dev/null
+++ b/Zend/tests/bug69732.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #69732 (can induce segmentation fault with basic php code)
+--FILE--
+<?php
+class wpq {
+    private $unreferenced;
+ 
+    public function __get($name) {
+        return $this->$name . "XXX";
+    }
+}
+ 
+function ret_assoc() {
+       $x = "XXX";
+    return array('foo' => 'bar', $x);
+}
+ 
+$wpq = new wpq;
+$wpq->interesting =& ret_assoc();
+$x = $wpq->interesting;
+printf("%s\n", $x);
+--EXPECTF--
+Notice: Undefined property: wpq::$interesting in %sbug69732.php on line 6
+
+Notice: Indirect modification of overloaded property wpq::$interesting has no effect in %sbug69732.php on line 16
+
+Strict Standards: Only variables should be assigned by reference in %sbug69732.php on line 16
+
+Notice: Undefined property: wpq::$interesting in %sbug69732.php on line 6
+XXX

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 040ab74db0a7aeaad14e59905da7224112574903..94b65e4939b0407d806f56b5e01368f9838c33e0 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1762,7 +1762,9 @@ ZEND_VM_HANDLER(38, ZEND_ASSIGN, VAR|CV, CONST|TMP|VAR|CV)
                }
        }
 
-       FREE_OP1_VAR_PTR();
+       if (OP1_TYPE == IS_VAR && OP1_FREE) {
+               zval_ptr_dtor(&value);
+       }
 
        /* zend_assign_to_variable() always takes care of op2, never free it! */
        FREE_OP2_IF_VAR();

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 6ab02321d591dee456ca01348c74d91bc5d99d08..0b2b24c46eff02c820ca026b2831f9f63c3ff2f3 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -15307,7 +15307,9 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER
                }
        }
 
-       if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
+       if (IS_VAR == IS_VAR && (free_op1.var != NULL)) {
+               zval_ptr_dtor(&value);
+       }
 
        /* zend_assign_to_variable() always takes care of op2, never free it! */
 
@@ -17662,7 +17664,9 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_A
                }
        }
 
-       if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
+       if (IS_VAR == IS_VAR && (free_op1.var != NULL)) {
+               zval_ptr_dtor(&value);
+       }
 
        /* zend_assign_to_variable() always takes care of op2, never free it! */
 
@@ -19923,7 +19927,9 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_A
                }
        }
 
-       if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
+       if (IS_VAR == IS_VAR && (free_op1.var != NULL)) {
+               zval_ptr_dtor(&value);
+       }
 
        /* zend_assign_to_variable() always takes care of op2, never free it! */
        if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
@@ -23395,7 +23401,9 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_AR
                }
        }
 
-       if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
+       if (IS_VAR == IS_VAR && (free_op1.var != NULL)) {
+               zval_ptr_dtor(&value);
+       }
 
        /* zend_assign_to_variable() always takes care of op2, never free it! */
 
@@ -32828,6 +32836,10 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_
                }
        }
 
+       if (IS_CV == IS_VAR && 0) {
+               zval_ptr_dtor(&value);
+       }
+
        /* zend_assign_to_variable() always takes care of op2, never free it! */
 
        CHECK_EXCEPTION();
@@ -34948,6 +34960,10 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_AR
                }
        }
 
+       if (IS_CV == IS_VAR && 0) {
+               zval_ptr_dtor(&value);
+       }
+
        /* zend_assign_to_variable() always takes care of op2, never free it! */
 
        CHECK_EXCEPTION();
@@ -37071,6 +37087,10 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_AR
                }
        }
 
+       if (IS_CV == IS_VAR && 0) {
+               zval_ptr_dtor(&value);
+       }
+
        /* zend_assign_to_variable() always takes care of op2, never free it! */
        if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 
@@ -40256,6 +40276,10 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARG
                }
        }
 
+       if (IS_CV == IS_VAR && 0) {
+               zval_ptr_dtor(&value);
+       }
+
        /* zend_assign_to_variable() always takes care of op2, never free it! */
 
        CHECK_EXCEPTION();