Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)

diff --git a/NEWS b/NEWS
index 95bd8479e8612936d948388adc7637a4ea711f50..0678c24dd245faec708e89061e072b79e71c62af 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Mar 2011, PHP 5.3.6
+- Zend Engine:
+  . Fixed bug #54262 (Crash when assigning value to a dimension in a non-array).
+    (Dmitry)
+
 - Phar extension:
   . Fixed bug #54247 (format-string vulnerability on Phar). (Felipe)
     (CVE-2011-1153)

diff --git a/Zend/tests/bug54262.phpt b/Zend/tests/bug54262.phpt
new file mode 100644 (file)
index 0000000..24c7122
--- /dev/null
+++ b/Zend/tests/bug54262.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54262 (Crash when assigning value to a dimension in a non-array)
+--FILE--
+<?php
+$a = '0';
+var_dump(isset($a['b']));
+$simpleString = preg_match('//', '', $a->a);
+$simpleString["wrong"] = "f";
+echo "ok\n";
+?>
+--EXPECTF--
+bool(true)
+
+Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4
+
+Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5
+ok
\ No newline at end of file

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 5137c862b145d272b8a67c510ef1bcf22f15615e..2ffd0a754fe32242aba5bbfc264a9f1d22824b4f 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2694,10 +2694,9 @@ ZEND_VM_HANDLER(67, ZEND_SEND_REF, VAR|CV, ANY)
        }
 
        if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-               Z_DELREF_PP(varptr_ptr);
-               ALLOC_ZVAL(*varptr_ptr);
-               INIT_ZVAL(**varptr_ptr);
-               Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+               ALLOC_INIT_ZVAL(varptr);
+               zend_vm_stack_push(varptr TSRMLS_CC);
+               ZEND_VM_NEXT_OPCODE();
        }
 
        if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 738b34d7afdc02322fec6a393cd296b9e4deb454..7e377902b8be30195e8a3efa3b635186490182cd 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | Zend Engine                                                          |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) |
+   | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) |
    +----------------------------------------------------------------------+
    | This source file is subject to version 2.00 of the Zend license,     |
    | that is bundled with this package in the file LICENSE, and is        |
@@ -1880,16 +1880,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(ZEND_OPCODE_HA
 
        return_value_used = RETURN_VALUE_USED(opline);
 
-       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               } else {
-                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               }
-               goto done;
-       }
-
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -1943,7 +1933,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(ZEND_OPCODE_HA
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
-done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }
@@ -5165,16 +5154,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER(ZEND_OPCODE_HAND
 
        return_value_used = RETURN_VALUE_USED(opline);
 
-       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               } else {
-                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               }
-               goto done;
-       }
-
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -5228,7 +5207,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER(ZEND_OPCODE_HAND
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
-done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }
@@ -8364,10 +8342,9 @@ static int ZEND_FASTCALL  ZEND_SEND_REF_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARG
        }
 
        if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-               Z_DELREF_PP(varptr_ptr);
-               ALLOC_ZVAL(*varptr_ptr);
-               INIT_ZVAL(**varptr_ptr);
-               Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+               ALLOC_INIT_ZVAL(varptr);
+               zend_vm_stack_push(varptr TSRMLS_CC);
+               ZEND_VM_NEXT_OPCODE();
        }
 
        if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -8546,16 +8523,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER(ZEND_OPCODE_HAND
 
        return_value_used = RETURN_VALUE_USED(opline);
 
-       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               } else {
-                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               }
-               goto done;
-       }
-
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -8609,7 +8576,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER(ZEND_OPCODE_HAND
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
-done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }
@@ -22248,10 +22214,9 @@ static int ZEND_FASTCALL  ZEND_SEND_REF_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS
        }
 
        if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-               Z_DELREF_PP(varptr_ptr);
-               ALLOC_ZVAL(*varptr_ptr);
-               INIT_ZVAL(**varptr_ptr);
-               Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+               ALLOC_INIT_ZVAL(varptr);
+               zend_vm_stack_push(varptr TSRMLS_CC);
+               ZEND_VM_NEXT_OPCODE();
        }
 
        if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -22420,16 +22385,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER(ZEND_OPCODE_HANDL
 
        return_value_used = RETURN_VALUE_USED(opline);
 
-       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               } else {
-                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-               }
-               goto done;
-       }
-
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -22483,7 +22438,6 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER(ZEND_OPCODE_HANDL
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
-done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }

diff --git a/Zend/zend_vm_opcodes.h b/Zend/zend_vm_opcodes.h
index f36e3b5678e7adcdd6a815524db4a44eecd52db7..d048a8576d586c1370626f5ff2fb99e464340de2 100644 (file)
--- a/Zend/zend_vm_opcodes.h
+++ b/Zend/zend_vm_opcodes.h
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | Zend Engine                                                          |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) |
+   | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) |
    +----------------------------------------------------------------------+
    | This source file is subject to version 2.00 of the Zend license,     |
    | that is bundled with this package in the file LICENSE, and is        |