Fixed crash on attempt to insert reference to string offset into an array

diff --git a/Zend/tests/str_offset_002.phpt b/Zend/tests/str_offset_002.phpt
new file mode 100644 (file)
index 0000000..1c465e5
--- /dev/null
+++ b/Zend/tests/str_offset_002.phpt
@@ -0,0 +1,9 @@
+--TEST--\r
+string offset 002\r
+--FILE--\r
+<?php\r
+$a = "aaa";\r
+$x = array(&$a[1]);\r
+?>\r
+--EXPECTF--\r
+Fatal error: Cannot create references to/from string offsets in %sstr_offset_002.php on line 3\r

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 6bab49c3c74df9a0458408ff819b1ae49a7edb5b..d796b1f057ab415f1dd2d64c9aed1126474a47ba 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3463,6 +3463,9 @@ ZEND_VM_HANDLER(72, ZEND_ADD_ARRAY_ELEMENT, CONST|TMP|VAR|CV, CONST|TMP|VAR|UNUS
        if ((OP1_TYPE == IS_VAR || OP1_TYPE == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = GET_OP1_ZVAL_PTR_PTR(BP_VAR_W);
 
+               if (OP1_TYPE == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index b8e8edf3d7e3bee1bf768e501a5e9ef882d71612..3bfbc0d35f0c22946b4e3b2c65ae2b00b77072c6 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -3367,6 +3367,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CONST_CONST_HANDLER(ZEND_O
        if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_CONST == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -4062,6 +4065,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CONST_TMP_HANDLER(ZEND_OPC
        if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_CONST == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -4724,6 +4730,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CONST_VAR_HANDLER(ZEND_OPC
        if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_CONST == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -5235,6 +5244,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CONST_UNUSED_HANDLER(ZEND_
        if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_CONST == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -5966,6 +5978,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CONST_CV_HANDLER(ZEND_OPCO
        if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_CONST == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -7597,6 +7612,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_CONST_HANDLER(ZEND_OPC
        if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_TMP_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -8254,6 +8272,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_TMP_HANDLER(ZEND_OPCOD
        if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_TMP_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -8918,6 +8939,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_VAR_HANDLER(ZEND_OPCOD
        if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_TMP_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -9316,6 +9340,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_UNUSED_HANDLER(ZEND_OP
        if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_TMP_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -9970,6 +9997,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_CV_HANDLER(ZEND_OPCODE
        if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = NULL;
 
+               if (IS_TMP_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -13180,6 +13210,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_VAR_CONST_HANDLER(ZEND_OPC
        if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_var(opline->op1.var, EX_Ts(), &free_op1 TSRMLS_CC);
 
+               if (IS_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -15227,6 +15260,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_VAR_TMP_HANDLER(ZEND_OPCOD
        if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_var(opline->op1.var, EX_Ts(), &free_op1 TSRMLS_CC);
 
+               if (IS_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -17336,6 +17372,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_VAR_VAR_HANDLER(ZEND_OPCOD
        if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_var(opline->op1.var, EX_Ts(), &free_op1 TSRMLS_CC);
 
+               if (IS_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -18551,6 +18590,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_VAR_UNUSED_HANDLER(ZEND_OP
        if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_var(opline->op1.var, EX_Ts(), &free_op1 TSRMLS_CC);
 
+               if (IS_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -20386,6 +20428,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_VAR_CV_HANDLER(ZEND_OPCODE
        if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_var(opline->op1.var, EX_Ts(), &free_op1 TSRMLS_CC);
 
+               if (IS_VAR == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -28499,6 +28544,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CV_CONST_HANDLER(ZEND_OPCO
        if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(EX_CVs(), opline->op1.var TSRMLS_CC);
 
+               if (IS_CV == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -30420,6 +30468,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CV_TMP_HANDLER(ZEND_OPCODE
        if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(EX_CVs(), opline->op1.var TSRMLS_CC);
 
+               if (IS_CV == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -32402,6 +32453,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CV_VAR_HANDLER(ZEND_OPCODE
        if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(EX_CVs(), opline->op1.var TSRMLS_CC);
 
+               if (IS_CV == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -33498,6 +33552,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CV_UNUSED_HANDLER(ZEND_OPC
        if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(EX_CVs(), opline->op1.var TSRMLS_CC);
 
+               if (IS_CV == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);
@@ -35189,6 +35246,9 @@ static int ZEND_FASTCALL  ZEND_ADD_ARRAY_ELEMENT_SPEC_CV_CV_HANDLER(ZEND_OPCODE_
        if ((IS_CV == IS_VAR || IS_CV == IS_CV) && opline->extended_value) {
                zval **expr_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(EX_CVs(), opline->op1.var TSRMLS_CC);
 
+               if (IS_CV == IS_VAR && UNEXPECTED(expr_ptr_ptr == NULL)) {
+                       zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets");
+               }
                SEPARATE_ZVAL_TO_MAKE_IS_REF(expr_ptr_ptr);
                expr_ptr = *expr_ptr_ptr;
                Z_ADDREF_P(expr_ptr);