Fixed bug #39825 (foreach produces memory error)

diff --git a/Zend/tests/bug39825.phpt b/Zend/tests/bug39825.phpt
new file mode 100755 (executable)
index 0000000..791b329
--- /dev/null
+++ b/Zend/tests/bug39825.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #39825 (foreach produces memory error)
+--FILE--
+<?php 
+$array = array(1 => 2, "foo" => "bar");
+$obj = (object)$array;
+foreach ($obj as $name => $value)  {
+       echo "$name -> $value\n";
+}
+?>
+--EXPECT--
+1 -> 2
+foo -> bar

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 86b5dc5471872259f42d75cbcc22603f25771b25..06e3d891584de8dc76ed3f06f082fecf34e3c0bb 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3284,7 +3284,8 @@ ZEND_VM_HANDLER(77, ZEND_FE_RESET, CONST|TMP|VAR|CV, ANY)
 
                                key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
                                if (key_type != HASH_KEY_NON_EXISTANT &&
-                                   zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
+                                       (key_type == HASH_KEY_IS_LONG ||
+                                    zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) {
                                        break;
                                }
                                zend_hash_move_forward(fe_ht);
@@ -3343,8 +3344,10 @@ ZEND_VM_HANDLER(78, ZEND_FE_FETCH, VAR, ANY)
                                key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 
                                zend_hash_move_forward(fe_ht);
-                       } while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS);
-                       if (use_key) {
+                       } while (key_type == HASH_KEY_NON_EXISTANT ||
+                                (key_type != HASH_KEY_IS_LONG &&
+                             zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS));
+                       if (use_key && key_type != HASH_KEY_IS_LONG) {
                                zend_u_unmangle_property_name(key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1, &class_name, &prop_name);
                                if (key_type == HASH_KEY_IS_UNICODE) {
                                        str_key_len = u_strlen(prop_name.u);

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 660f418ad9e07eb7f61eb4b01763b58dab520201..e9a53e5fa0c0ceb9f51d4a51113ffb5cafee4d3c 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2227,7 +2227,8 @@ static int ZEND_FE_RESET_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
                                key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
                                if (key_type != HASH_KEY_NON_EXISTANT &&
-                                   zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
+                                       (key_type == HASH_KEY_IS_LONG ||
+                                    zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) {
                                        break;
                                }
                                zend_hash_move_forward(fe_ht);
@@ -4834,7 +4835,8 @@ static int ZEND_FE_RESET_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
                                key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
                                if (key_type != HASH_KEY_NON_EXISTANT &&
-                                   zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
+                                       (key_type == HASH_KEY_IS_LONG ||
+                                    zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) {
                                        break;
                                }
                                zend_hash_move_forward(fe_ht);
@@ -8046,7 +8048,8 @@ static int ZEND_FE_RESET_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
                                key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
                                if (key_type != HASH_KEY_NON_EXISTANT &&
-                                   zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
+                                       (key_type == HASH_KEY_IS_LONG ||
+                                    zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) {
                                        break;
                                }
                                zend_hash_move_forward(fe_ht);
@@ -8105,8 +8108,10 @@ static int ZEND_FE_FETCH_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
                                key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 
                                zend_hash_move_forward(fe_ht);
-                       } while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS);
-                       if (use_key) {
+                       } while (key_type == HASH_KEY_NON_EXISTANT ||
+                                (key_type != HASH_KEY_IS_LONG &&
+                             zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS));
+                       if (use_key && key_type != HASH_KEY_IS_LONG) {
                                zend_u_unmangle_property_name(key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1, &class_name, &prop_name);
                                if (key_type == HASH_KEY_IS_UNICODE) {
                                        str_key_len = u_strlen(prop_name.u);
@@ -20601,7 +20606,8 @@ static int ZEND_FE_RESET_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
                                key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
                                if (key_type != HASH_KEY_NON_EXISTANT &&
-                                   zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
+                                       (key_type == HASH_KEY_IS_LONG ||
+                                    zend_check_property_access(zobj, key_type == HASH_KEY_IS_UNICODE?IS_UNICODE:IS_STRING, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS)) {
                                        break;
                                }
                                zend_hash_move_forward(fe_ht);