]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ebc6dc1)
Fixed bug #49866 (Making reference on string offsets crashes PHP)
authorDmitry Stogov <dmitry@php.net>
Mon, 7 Dec 2009 08:47:18 +0000 (08:47 +0000)
committerDmitry Stogov <dmitry@php.net>
Mon, 7 Dec 2009 08:47:18 +0000 (08:47 +0000)
Zend/tests/bug49866.phpt [new file with mode: 0644] patch | blob
Zend/zend_vm_def.h patch | blob | history
Zend/zend_vm_execute.h patch | blob | history

diff --git a/Zend/tests/bug49866.phpt b/Zend/tests/bug49866.phpt
new file mode 100644 (file)
index 0000000..7fbc0d8
--- /dev/null
+++ b/Zend/tests/bug49866.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #49866 (Making reference on string offsets crashes PHP)
+--FILE--
+<?php
+$a = "string";
+$b = &$a[1];
+$b = "f";
+echo $a;
+--EXPECTF--
+Fatal error: Cannot create references to/from string offsets nor overloaded objects in %sbug49866.php on line 3
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 434478c920c444099d06570cb2253a798f010d3f..4dd443c9da00217969db3024ce35ae95d959a070 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1137,7 +1137,7 @@ ZEND_VM_HANDLER(84, ZEND_FETCH_DIM_W, VAR|CV, CONST|TMP|VAR|UNUSED|CV)
        FREE_OP1_VAR_PTR();
        
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 620719aff73e3d6933f59bc15e878b05bee0a585..4ef71d6d75c58c5ffa3db6122e52c4d3d16d79d1 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -10257,7 +10257,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HA
        if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -12170,7 +12170,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HAND
        if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -13988,7 +13988,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HAND
        if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -15394,7 +15394,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_VAR_UNUSED_HANDLER(ZEND_OPCODE_H
        if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -16455,7 +16455,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDL
        if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -24637,7 +24637,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HAN
        }
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -26369,7 +26369,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDL
        }
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -28075,7 +28075,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDL
        }
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -29368,7 +29368,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_CV_UNUSED_HANDLER(ZEND_OPCODE_HA
        }
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -30327,7 +30327,7 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_W_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLE
        }
 
        /* We are going to assign the result by reference */
-       if (opline->extended_value) {
+       if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
                Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
                SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
                Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
Unnamed repository; edit this file 'description' to name the repository.