From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 5 Jul 2010 09:08:35 +0000 (+0000)
Subject: Fixed bug #52237 (Crash when passing the reference of the property of a non-object)
X-Git-Tag: php-5.3.3RC3~18
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=09d8bbb2ee832c7d6717804fc98c904f27ba0831;p=php

Fixed bug #52237 (Crash when passing the reference of the property of a non-object)
---

diff --git a/Zend/tests/bug52237.phpt b/Zend/tests/bug52237.phpt
new file mode 100644
index 0000000000..a466a8ce02
--- /dev/null
+++ b/Zend/tests/bug52237.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #52237 (Crash when passing the reference of the property of a non-object)
+--FILE--
+<?php
+$data = 'test';
+preg_match('//', '', $data->info);
+var_dump($data);
+?>
+--EXPECTF--
+Warning: Attempt to modify property of non-object in %sbug52237.php on line 3
+string(4) "test"
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index cd26f5e8e6..e3d68256c3 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2693,9 +2693,16 @@ ZEND_VM_HANDLER(67, ZEND_SEND_REF, VAR|CV, ANY)
 		zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
 	}
 
-      	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
-               ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
-        }
+	if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+		Z_DELREF_PP(varptr_ptr);
+		ALLOC_ZVAL(*varptr_ptr);
+		INIT_ZVAL(**varptr_ptr);
+		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+	}
+
+	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+		ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
+	}
 
 	SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
 	varptr = *varptr_ptr;
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 45f5c62c2a..76a785c4b4 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -8341,9 +8341,16 @@ static int ZEND_FASTCALL  ZEND_SEND_REF_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARG
 		zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
 	}
 
-      	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
-               return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
-        }
+	if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+		Z_DELREF_PP(varptr_ptr);
+		ALLOC_ZVAL(*varptr_ptr);
+		INIT_ZVAL(**varptr_ptr);
+		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+	}
+
+	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+		return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+	}
 
 	SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
 	varptr = *varptr_ptr;
@@ -22207,9 +22214,16 @@ static int ZEND_FASTCALL  ZEND_SEND_REF_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS
 		zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
 	}
 
-      	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
-               return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
-        }
+	if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+		Z_DELREF_PP(varptr_ptr);
+		ALLOC_ZVAL(*varptr_ptr);
+		INIT_ZVAL(**varptr_ptr);
+		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+	}
+
+	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+		return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+	}
 
 	SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
 	varptr = *varptr_ptr;