Fix out-of-bounds read in array compilation

UNPACK elements only have one child. Don't access the second one
until we have excluded this case.

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index fc6dcf5bb7f17843233e2cb11f202bbd66d8a99a..6682d2b4540c2b38cd6ee2b1aa6870f1571a8de4 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -7032,7 +7032,7 @@ static zend_bool zend_try_ct_eval_array(zval *result, zend_ast *ast) /* {{{ */
        for (i = 0; i < list->children; ++i) {
                zend_ast *elem_ast = list->child[i];
                zend_ast *value_ast = elem_ast->child[0];
-               zend_ast *key_ast = elem_ast->child[1];
+               zend_ast *key_ast;
 
                zval *value = zend_ast_get_zval(value_ast);
                if (elem_ast->kind == ZEND_AST_UNPACK) {
@@ -7060,6 +7060,7 @@ static zend_bool zend_try_ct_eval_array(zval *result, zend_ast *ast) /* {{{ */
                
                Z_TRY_ADDREF_P(value);
 
+               key_ast = elem_ast->child[1];
                if (key_ast) {
                        zval *key = zend_ast_get_zval(key_ast);
                        switch (Z_TYPE_P(key)) {
@@ -7823,8 +7824,6 @@ void zend_compile_array(znode *result, zend_ast *ast) /* {{{ */
                }
 
                value_ast = elem_ast->child[0];
-               key_ast = elem_ast->child[1];
-               by_ref = elem_ast->attr;
 
                if (elem_ast->kind == ZEND_AST_UNPACK) {
                        zend_compile_expr(&value_node, value_ast);
@@ -7836,6 +7835,9 @@ void zend_compile_array(znode *result, zend_ast *ast) /* {{{ */
                        continue;
                }
 
+               key_ast = elem_ast->child[1];
+               by_ref = elem_ast->attr;
+
                if (key_ast) {
                        zend_compile_expr(&key_node, key_ast);
                        zend_handle_numeric_op(&key_node);