Fixed bug #72162 (use-after-free - error_reporting)

diff --git a/NEWS b/NEWS
index 8da85888e29ae138d4388cb15a064f93cb318468..fcb4a8d41ed7b1d4bb67e3a5903c77dbe0af05d0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.7
 
 - Core:
+  . Fixed bug #72162 (use-after-free - error_reporting). (Laruence)
   . Add compiler option to disable special case function calls. (Joe)
   . Fixed bug #72101 (crash on complex code). (Dmitry)
   . Fixed bug #72100 (implode() inserts garbage into resulting string when

diff --git a/Zend/tests/bug72162.phpt b/Zend/tests/bug72162.phpt
new file mode 100644 (file)
index 0000000..3cd12de
--- /dev/null
+++ b/Zend/tests/bug72162.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72162 (use-after-free - error_reporting)
+--FILE--
+<?php
+error_reporting(1);
+$var11 = new StdClass();
+$var16 = error_reporting($var11);
+?>
+okey
+--EXPECT--
+okey

diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index a576455fa3bc798619840e439e67d82a770f55ae..558a1b2ac6ca7dfee3ef7b4be35850a1ec8f9ebc 100644 (file)
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -704,7 +704,8 @@ ZEND_FUNCTION(error_reporting)
 #endif
 
        old_error_reporting = EG(error_reporting);
-       if(ZEND_NUM_ARGS() != 0) {
+       if (ZEND_NUM_ARGS() != 0) {
+               zend_string *new_val = zval_get_string(err);
                do {
                        zend_ini_entry *p = EG(error_reporting_ini_entry);
 
@@ -730,7 +731,7 @@ ZEND_FUNCTION(error_reporting)
                                zend_string_release(p->value);
                        }
 
-                       p->value = zval_get_string(err);
+                       p->value = new_val;
                        if (Z_TYPE_P(err) == IS_LONG) {
                                EG(error_reporting) = Z_LVAL_P(err);
                        } else {