Don't reuse compare_function operands

If the same zval is used for the result and one operand, then the
function thinks it is responsible for freeing the value in case of
a type conversion.

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 6c5f5a2790c81523e11167dedf11b9272df4ae65..df80e0874a166a564f1602e7231f92d7e70fa277 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -8050,13 +8050,13 @@ ZEND_VM_HANDLER(189, ZEND_IN_ARRAY, CONST|TMP|VAR|CV, CONST, NUM)
                result = zend_hash_exists(ht, ZSTR_EMPTY_ALLOC());
        } else {
                zend_string *key;
-               zval tmp;
+               zval key_tmp, result_tmp;
 
                result = 0;
                ZEND_HASH_FOREACH_STR_KEY(ht, key) {
-                       ZVAL_STR(&tmp, key);
-                       compare_function(&tmp, op1, &tmp);
-                       if (Z_LVAL(tmp) == 0) {
+                       ZVAL_STR(&key_tmp, key);
+                       compare_function(&result_tmp, op1, &key_tmp);
+                       if (Z_LVAL(result_tmp) == 0) {
                                result = 1;
                                break;
                        }

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 202d208d0b2b8357b1fbd071f731375da7ba3cdc..99f270e02bd4df17ee3d9add98500b0c7c9fbce1 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -6422,13 +6422,13 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_IN_ARRAY_SPEC_CONST_CONST_HAND
                result = zend_hash_exists(ht, ZSTR_EMPTY_ALLOC());
        } else {
                zend_string *key;
-               zval tmp;
+               zval key_tmp, result_tmp;
 
                result = 0;
                ZEND_HASH_FOREACH_STR_KEY(ht, key) {
-                       ZVAL_STR(&tmp, key);
-                       compare_function(&tmp, op1, &tmp);
-                       if (Z_LVAL(tmp) == 0) {
+                       ZVAL_STR(&key_tmp, key);
+                       compare_function(&result_tmp, op1, &key_tmp);
+                       if (Z_LVAL(result_tmp) == 0) {
                                result = 1;
                                break;
                        }
@@ -13847,13 +13847,13 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_IN_ARRAY_SPEC_TMP_CONST_HANDLE
                result = zend_hash_exists(ht, ZSTR_EMPTY_ALLOC());
        } else {
                zend_string *key;
-               zval tmp;
+               zval key_tmp, result_tmp;
 
                result = 0;
                ZEND_HASH_FOREACH_STR_KEY(ht, key) {
-                       ZVAL_STR(&tmp, key);
-                       compare_function(&tmp, op1, &tmp);
-                       if (Z_LVAL(tmp) == 0) {
+                       ZVAL_STR(&key_tmp, key);
+                       compare_function(&result_tmp, op1, &key_tmp);
+                       if (Z_LVAL(result_tmp) == 0) {
                                result = 1;
                                break;
                        }
@@ -19909,13 +19909,13 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_IN_ARRAY_SPEC_VAR_CONST_HANDLE
                result = zend_hash_exists(ht, ZSTR_EMPTY_ALLOC());
        } else {
                zend_string *key;
-               zval tmp;
+               zval key_tmp, result_tmp;
 
                result = 0;
                ZEND_HASH_FOREACH_STR_KEY(ht, key) {
-                       ZVAL_STR(&tmp, key);
-                       compare_function(&tmp, op1, &tmp);
-                       if (Z_LVAL(tmp) == 0) {
+                       ZVAL_STR(&key_tmp, key);
+                       compare_function(&result_tmp, op1, &key_tmp);
+                       if (Z_LVAL(result_tmp) == 0) {
                                result = 1;
                                break;
                        }
@@ -38265,13 +38265,13 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_IN_ARRAY_SPEC_CV_CONST_HANDLER
                result = zend_hash_exists(ht, ZSTR_EMPTY_ALLOC());
        } else {
                zend_string *key;
-               zval tmp;
+               zval key_tmp, result_tmp;
 
                result = 0;
                ZEND_HASH_FOREACH_STR_KEY(ht, key) {
-                       ZVAL_STR(&tmp, key);
-                       compare_function(&tmp, op1, &tmp);
-                       if (Z_LVAL(tmp) == 0) {
+                       ZVAL_STR(&key_tmp, key);
+                       compare_function(&result_tmp, op1, &key_tmp);
+                       if (Z_LVAL(result_tmp) == 0) {
                                result = 1;
                                break;
                        }

diff --git a/ext/opcache/Optimizer/sccp.c b/ext/opcache/Optimizer/sccp.c
index 14ea6af99e3d7b3d893136728a6bdbc3991a6ad7..cd74ea41e3fc654133aeba1aed07052a1dceb283 100644 (file)
--- a/ext/opcache/Optimizer/sccp.c
+++ b/ext/opcache/Optimizer/sccp.c
@@ -475,13 +475,13 @@ static inline int ct_eval_in_array(zval *result, uint32_t extended_value, zval *
                res = zend_hash_exists(ht, ZSTR_EMPTY_ALLOC());
        } else {
                zend_string *key;
-               zval tmp;
+               zval key_tmp, result_tmp;
 
                res = 0;
                ZEND_HASH_FOREACH_STR_KEY(ht, key) {
-                       ZVAL_STR(&tmp, key);
-                       compare_function(&tmp, op1, &tmp);
-                       if (Z_LVAL(tmp) == 0) {
+                       ZVAL_STR(&key_tmp, key);
+                       compare_function(&result_tmp, op1, &key_tmp);
+                       if (Z_LVAL(result_tmp) == 0) {
                                res = 1;
                                break;
                        }
@@ -614,7 +614,7 @@ static inline int ct_eval_func_call(
                } else if (zend_string_equals_literal(name, "str_split")) {
                        if (Z_TYPE_P(args[0]) != IS_STRING
                                        || Z_TYPE_P(args[1]) != IS_LONG
-                                       || !Z_LVAL_P(args[1]) <= 0) {
+                                       || Z_LVAL_P(args[1]) <= 0) {
                                return FAILURE;
                        }
                        /* pass */