From: Antony Dovgal <tony2001@php.net>
Date: Fri, 27 Apr 2007 08:11:37 +0000 (+0000)
Subject: initialize retval_ptr_ptr before returning FAILURE
X-Git-Tag: RELEASE_1_2_0~206
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0e5d853a8d905ecebe012649cddd1e7a1f537332;p=php

initialize retval_ptr_ptr before returning FAILURE
this fixes invalid read in #41209
---

diff --git a/Zend/tests/bug41209.phpt b/Zend/tests/bug41209.phpt
new file mode 100644
index 0000000000..0834b376b2
--- /dev/null
+++ b/Zend/tests/bug41209.phpt
@@ -0,0 +1,46 @@
+--TEST--
+Bug #41209 (Segmentation fault with ArrayAccess, set_error_handler and undefined var)
+--FILE--
+<?php
+
+class env
+{
+    public function __construct()
+    {
+        set_error_handler(array(__CLASS__, 'errorHandler'));
+    }
+
+    public static function errorHandler($errno, $errstr, $errfile, $errline)
+    {
+        throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
+    }
+}
+
+class cache implements ArrayAccess
+{
+    private $container = array();
+
+    public function offsetGet($id) {}
+
+    public function offsetSet($id, $value) {}
+
+    public function offsetUnset($id) {}
+
+    public function offsetExists($id)
+    {
+        return isset($this->containers[(string) $id]);
+    }
+}
+
+$env = new env();
+$cache = new cache();
+var_dump(isset($cache[$id]));
+
+echo "Done\n";
+?>
+--EXPECTF--	
+Fatal error: Uncaught exception 'ErrorException' with message 'Undefined variable: id' in %s:%d
+Stack trace:
+#0 %s(%d): env::errorHandler()
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 5e3bd29226..a8d9ef42b7 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -658,6 +658,8 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 	int fname_len;
 	zstr colon, fname, lcname;
 
+	*fci->retval_ptr_ptr = NULL;
+
 	if (!EG(active)) {
 		return FAILURE; /* executor is already inactive */
 	}
@@ -688,11 +690,6 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 		memset(&execute_data, 0, sizeof(zend_execute_data));
 	}
 
-	/* we may return SUCCESS, and yet retval may be uninitialized,
-	 * if there was an exception...
-	 */
-	*fci->retval_ptr_ptr = NULL;
-
 	if (!fci_cache || !fci_cache->initialized) {
 		if (Z_TYPE_P(fci->function_name)==IS_ARRAY) { /* assume array($obj, $name) couple */
 			zval **tmp_object_ptr, **tmp_real_function_name;