]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a58d865)
Fixed bug #79783
authorNikita Popov <nikita.ppv@gmail.com>
Tue, 7 Jul 2020 07:55:28 +0000 (09:55 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Tue, 7 Jul 2020 07:56:14 +0000 (09:56 +0200)
Make sure we don't drop the by-reference check when passing the
result of a VM builtin function.

NEWS patch | blob | history
Zend/tests/bug79783.phpt [new file with mode: 0644] patch | blob
Zend/zend_compile.c patch | blob | history

diff --git a/NEWS b/NEWS
index 4aaf8fb59c4bae3b7720fe449f0bd22da3b033d5..acb77999a52d0c74d8ab1684ddeacca97350455e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #79740 (serialize() and unserialize() methods can not be called
     statically). (Nikita)
+  . Fixede bug #79783 (Segfault in php_str_replace_common). (Nikita)
 
 - Fileinfo:
   . Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb)
diff --git a/Zend/tests/bug79783.phpt b/Zend/tests/bug79783.phpt
new file mode 100644 (file)
index 0000000..959e90b
--- /dev/null
+++ b/Zend/tests/bug79783.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #79783: Segfault in php_str_replace_common
+--FILE--
+<?php
+str_replace("a", "b", "c", strlen("d"));
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot pass parameter 4 by reference in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 8b36a0940e5726771e04a3f14b2bf586993ca1a6..10ea65f89d9ab3a5b350afc9929cd611d15e69e4 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -3009,7 +3009,11 @@ uint32_t zend_compile_args(zend_ast *ast, zend_function *fbc) /* {{{ */
                                zend_compile_var(&arg_node, arg, BP_VAR_R, 0);
                                if (arg_node.op_type & (IS_CONST|IS_TMP_VAR)) {
                                        /* Function call was converted into builtin instruction */
-                                       opcode = ZEND_SEND_VAL;
+                                       if (!fbc || ARG_MUST_BE_SENT_BY_REF(fbc, arg_num)) {
+                                               opcode = ZEND_SEND_VAL_EX;
+                                       } else {
+                                               opcode = ZEND_SEND_VAL;
+                                       }
                                } else {
                                        if (fbc) {
                                                if (ARG_MUST_BE_SENT_BY_REF(fbc, arg_num)) {
Unnamed repository; edit this file 'description' to name the repository.