Fixed bug #76534 (PHP hangs on 'illegal string offset on string references with an...

author Xinchen Hui <laruence@gmail.com>

Wed, 27 Jun 2018 05:05:11 +0000 (13:05 +0800)

committer Xinchen Hui <laruence@gmail.com>

Wed, 27 Jun 2018 05:05:11 +0000 (13:05 +0800)
author Xinchen Hui <laruence@gmail.com>
Wed, 27 Jun 2018 05:05:11 +0000 (13:05 +0800)
committer Xinchen Hui <laruence@gmail.com>
Wed, 27 Jun 2018 05:05:11 +0000 (13:05 +0800)
diff --git a/NEWS b/NEWS

index 79612ca2bd500023ebea7e646f6bf05e8e1d1b1d..d5840d2d2537bc7358ddf196297fe13f162bb8a3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
  ?? ??? ????, PHP 7.1.20
  
  - Core:
+  . Fixed bug #76534 (PHP hangs on 'illegal string offset on string references
+    with an error handler). (Laruence)
    . Fixed bug #76502 (Chain of mixed exceptions and errors does not serialize
      properly). (Nikita)
  
diff --git a/Zend/tests/bug76534.phpt b/Zend/tests/bug76534.phpt

new file mode 100644 (file)

index 0000000..956a29b
--- /dev/null
+++ b/Zend/tests/bug76534.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #76534 (PHP hangs on 'illegal string offset on string references with an error handler)
+--FILE--
+<?php
+set_error_handler(function ($severity, $message, $file, $line) {
+       throw new \Exception($message);
+});
+
+$x = "foo";
+$y = &$x["bar"];
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Illegal string offset 'bar' in %sbug76534.php:%d
+Stack trace:
+#0 %sbug76534.php(%d): {closure}(2, 'Illegal string ...', '%s', %d, Array)
+#1 {main}
+  thrown in %sbug76534.php on line %d
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c

index 968618a6aa6987f331e3552909ade332772786ab..f88fac6c88c27895b711489f5354aa999341540a 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1700,7 +1700,9 @@ fetch_from_array:
                         zend_throw_error(NULL, "[] operator not supported for strings");
                 } else {
                         zend_check_string_offset(dim, type);
-                       zend_wrong_string_offset();
+                       if (EXPECTED(EG(exception) == NULL)) {
+                               zend_wrong_string_offset();
+                       }
                 }
                 ZVAL_ERROR(result);
         } else if (EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h

index 7dd70fa7091dff9a51fb46405ce446a59ca7ea21..ea9870d31b2e4bddc4d387f98929b59983dffc5d 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -891,7 +891,9 @@ ZEND_VM_C_LABEL(assign_dim_op_convert_to_array):
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 ZEND_VM_C_GOTO(assign_dim_op_convert_to_array);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

index cb20546da9b0d94d850f31b6441851d6e67dd0e4..af3c181552ac040ab9d93170cf599cecbd490ba5 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -17596,7 +17596,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
@@ -21014,7 +21016,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
@@ -22385,7 +22389,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
@@ -25330,7 +25336,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
@@ -37055,7 +37063,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
@@ -41665,7 +41675,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
@@ -44149,7 +44161,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
@@ -48220,7 +48234,9 @@ assign_dim_op_convert_to_array:
                                         zend_throw_error(NULL, "[] operator not supported for strings");
                                 } else {
                                         zend_check_string_offset(dim, BP_VAR_RW);
-                                       zend_wrong_string_offset();
+                                       if (EXPECTED(EG(exception) == NULL)) {
+                                               zend_wrong_string_offset();
+                                       }
                                 }
                         } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
                                 goto assign_dim_op_convert_to_array;
author	Xinchen Hui <laruence@gmail.com>
	Wed, 27 Jun 2018 05:05:11 +0000 (13:05 +0800)
committer	Xinchen Hui <laruence@gmail.com>
	Wed, 27 Jun 2018 05:05:11 +0000 (13:05 +0800)
NEWS		patch \| blob \| history
Zend/tests/bug76534.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_execute.c		patch \| blob \| history
Zend/zend_vm_def.h		patch \| blob \| history
Zend/zend_vm_execute.h		patch \| blob \| history