Fixed bug #75420 (Crash when modifing property name in __isset for BP_VAR_IS)

author Xinchen Hui <laruence@gmail.com>

Thu, 26 Oct 2017 02:07:08 +0000 (10:07 +0800)

committer Xinchen Hui <laruence@gmail.com>

Thu, 26 Oct 2017 02:07:08 +0000 (10:07 +0800)
author Xinchen Hui <laruence@gmail.com>
Thu, 26 Oct 2017 02:07:08 +0000 (10:07 +0800)
committer Xinchen Hui <laruence@gmail.com>
Thu, 26 Oct 2017 02:07:08 +0000 (10:07 +0800)
diff --git a/NEWS b/NEWS

index 8bb9f28fc346629e28af8f2db6c69382348c27dc..e3d81786460ece1df28bf26ac69285de181265f8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
  ?? ??? 2017 PHP 7.0.26
  
  - Core:
+  . Fixed bug #75420 (Crash when modifing property name in __isset for
+    BP_VAR_IS). (Laruence)
    . Fixed bug #75368 (mmap/munmap trashing on unlucky allocations). (Nikita,
      Dmitry)
  
diff --git a/Zend/tests/bug75420.phpt b/Zend/tests/bug75420.phpt

new file mode 100644 (file)

index 0000000..890fbe5
--- /dev/null
+++ b/Zend/tests/bug75420.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #75420 (Crash when modifing property name in __isset for BP_VAR_IS)
+--FILE--
+<?php
+
+class Test {
+       public function __isset($x) { $GLOBALS["name"] = 24; return true; }
+public function __get($x) { var_dump($x); return 42; }
+}
+
+$obj = new Test;
+$name = "foo";
+var_dump($obj->$name ?? 12);
+?>
+--EXPECT--
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c

index 9ce9f1df1ac2247b4f68d95012587517e8afaaef..22455b9254d5c5d9ee6ae9e17178bbe65b64e902 100644 (file)
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -510,6 +510,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
         zval tmp_member;
         zval *retval;
         uint32_t property_offset;
+       zend_long *guard = NULL;
  
         zobj = Z_OBJ_P(object);
  
@@ -545,7 +546,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
         /* magic isset */
         if ((type == BP_VAR_IS) && zobj->ce->__isset) {
                 zval tmp_object, tmp_result;
-               zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member));
+               guard = zend_get_property_guard(zobj, Z_STR_P(member));
  
                 if (!((*guard) & IN_ISSET)) {
                         ZVAL_COPY(&tmp_object, object);
@@ -569,7 +570,9 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
  
         /* magic get */
         if (zobj->ce->__get) {
-               zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member));
+               if (guard == NULL) {
+                       guard = zend_get_property_guard(zobj, Z_STR_P(member));
+               }
                 if (!((*guard) & IN_GET)) {
                         zval tmp_object;
author	Xinchen Hui <laruence@gmail.com>
	Thu, 26 Oct 2017 02:07:08 +0000 (10:07 +0800)
committer	Xinchen Hui <laruence@gmail.com>
	Thu, 26 Oct 2017 02:07:08 +0000 (10:07 +0800)
NEWS		patch \| blob \| history
Zend/tests/bug75420.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_object_handlers.c		patch \| blob \| history