Fixed attempt to free invalid structure (result of ROPE_INIT is not a zval)

diff --git a/Zend/tests/temporary_cleaning_015.phpt b/Zend/tests/temporary_cleaning_015.phpt
new file mode 100644 (file)
index 0000000..7690abb
--- /dev/null
+++ b/Zend/tests/temporary_cleaning_015.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Attempt to free invalid structure (result of ROPE_INIT is not a zval)
+--FILE--
+<?php
+set_error_handler(function () {
+       throw new Exception();
+});
+$a = [];
+$b = "";
+try {
+        echo "$a$b\n";
+} catch (Exception $ex) {
+}
+?>
+DONE
+--EXPECT--
+DONE

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index f8538e02c4ddb9dc446ee766165220197242266a..1c3668088ef0ffb53b9c0369cd163039c63dff4a 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7080,6 +7080,7 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
        if (throw_op->result_type & (IS_VAR | IS_TMP_VAR)) {
                switch (throw_op->opcode) {
                        case ZEND_ADD_ARRAY_ELEMENT:
+                       case ZEND_ROPE_INIT:
                        case ZEND_ROPE_ADD:
                                break; /* exception while building structures, live range handling will free those */
 

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 4ca3fa48195b458c293b31a1fcc637ece47afa56..6b83684b7f3386afe097c19f6b9a8fd577a0e3c3 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1776,6 +1776,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(
        if (throw_op->result_type & (IS_VAR | IS_TMP_VAR)) {
                switch (throw_op->opcode) {
                        case ZEND_ADD_ARRAY_ELEMENT:
+                       case ZEND_ROPE_INIT:
                        case ZEND_ROPE_ADD:
                                break; /* exception while building structures, live range handling will free those */