Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start)

diff --git a/NEWS b/NEWS
index dc7417650f6a8379843a55e6d51472460e855539..89aa2c0ec840ce01e43407ecd38c5f6bd7e743e1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,10 @@ PHP                                                                        NEWS
 - PCRE:
   . Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string
     match). (cmb)
+
+- SPL:
+  . Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via
+    ob_start). (hugh at allthethings dot co dot nz)
   
 - Standard:
   . Fixed bug #70052 (getimagesize() fails for very large and very small WBMP).

diff --git a/ext/spl/php_spl.c b/ext/spl/php_spl.c
index 6b886b7ef30befa4f67a5cca695ac5d0d839418d..3424b90aeaa2ebbbd4b54faa42bd0cc6aa2a35cb 100644 (file)
--- a/ext/spl/php_spl.c
+++ b/ext/spl/php_spl.c
@@ -358,7 +358,7 @@ PHP_FUNCTION(spl_autoload)
                 * The "scope" is determined by an opcode, if it is ZEND_FETCH_CLASS we know function was called indirectly by
                 * the Zend engine.
                 */
-               if (active_opline->opcode != ZEND_FETCH_CLASS) {
+               if (EG(opline_ptr) && active_opline->opcode != ZEND_FETCH_CLASS) {
                        zend_throw_exception_ex(spl_ce_LogicException, 0 TSRMLS_CC, "Class %s could not be loaded", class_name);
                } else {
                        php_error_docref(NULL TSRMLS_CC, E_ERROR, "Class %s could not be loaded", class_name);

diff --git a/ext/spl/tests/bug70290.phpt b/ext/spl/tests/bug70290.phpt
new file mode 100644 (file)
index 0000000..0fd83c2
--- /dev/null
+++ b/ext/spl/tests/bug70290.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start)
+--INI--
+display_errors=2
+--FILE--
+<?php ob_start("spl_autoload"); ?> 1
+--EXPECT--
+Fatal error: Unknown: Class  1
+ could not be loaded in Unknown on line 0