Fix a corruption bug, when erroneously allowing to send non-variables by reference...

bug-db reports seem to originate in this bug)

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 84cc98411e5206bbf75e9d2a15e0afd58250ddae..8c39273e989e0f95f9e698741a2cdf3cf41957ab 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -942,20 +942,19 @@ void do_pass_param(znode *param, int op, int offset CLS_DC)
                arg_types = NULL;
        }
 
-       if (op == ZEND_SEND_VAL) {
+       if (op==ZEND_SEND_VAL) {
                switch (param->op_type) {
                        case IS_CONST:  /* constants behave like variables when passed to functions,
                                                         * as far as reference counting is concerned.  Treat them
                                                         * as if they were variables here.
                                                         */
                        case IS_VAR:
-                               op = ZEND_SEND_VAR;
+                               op = ZEND_SEND_VAR_NO_REF;
                                break;
                }
        }
-
-
-       if (ARG_SHOULD_BE_SENT_BY_REF(offset, 1, arg_types)) {
+       if (op!=ZEND_SEND_VAR_NO_REF
+               && ARG_SHOULD_BE_SENT_BY_REF(offset, 1, arg_types)) {
                /* change to passing by reference */
                switch (param->op_type) {
                        case IS_VAR:
@@ -969,6 +968,7 @@ void do_pass_param(znode *param, int op, int offset CLS_DC)
 
        if (original_op==ZEND_SEND_VAR) {
                switch(op) {
+                       case ZEND_SEND_VAR_NO_REF:
                        case ZEND_SEND_VAR:
                                if (function_ptr) {
                                        do_end_variable_parse(BP_VAR_R, 0 CLS_CC);

diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
index 1abec93ebe4d268848a37096ba44c6f0d52e1d60..dee9c12b9eca8bbac4f0325761c9b32e1d47c5cf 100644 (file)
--- a/Zend/zend_compile.h
+++ b/Zend/zend_compile.h
@@ -537,6 +537,8 @@ int zendlex(znode *zendlval CLS_DC);
 
 #define ZEND_TICKS                                     105
 
+#define ZEND_SEND_VAR_NO_REF           106
+
 /* end of block */
 
 

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index f4c3d030ba90cc4e2d38fc36e6503fd77b3cff5a..6035be3d0cf4d9397061300d3e70e330b73b17b5 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1651,9 +1651,13 @@ do_fcall_common:
                                }
                                NEXT_OPCODE();
                        case ZEND_SEND_VAR:
+                       case ZEND_SEND_VAR_NO_REF:
                                if (opline->extended_value==ZEND_DO_FCALL_BY_NAME
                                        && ARG_SHOULD_BE_SENT_BY_REF(opline->op2.u.opline_num, fbc, fbc->common.arg_types)) {
-                                               goto send_by_ref;
+                                       if (opline->opcode==ZEND_SEND_VAR_NO_REF) {
+                                               zend_error(E_ERROR, "Only variables can be passed by reference");
+                                       }
+                                       goto send_by_ref;
                                }
                                {
                                        zval *varptr;