From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 2 Nov 2018 13:26:24 +0000 (+0100)
Subject: Fixed bug #77092
X-Git-Tag: php-7.3.0RC5~15^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4daa413898948dad90bc797ccab200115326efc7;p=php

Fixed bug #77092

Weird that this worked for so long, probably because nearly all
ext/standard functions use fast ZPP rather than ordinary ZPP.
---

diff --git a/NEWS b/NEWS
index 677fc21325..bff096b073 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
 
 - Opcache:
   . Fixed bug #77058 (Type inference in opcache causes side effects). (Nikita)
+  . Fixed bug #77092 (array_diff_key() - segmentation fault). (Nikita)
 
 - SOAP:
   . Fixed bug #50675 (SoapClient can't handle object references correctly).
diff --git a/ext/opcache/Optimizer/sccp.c b/ext/opcache/Optimizer/sccp.c
index 802587e8e9..a519196e30 100644
--- a/ext/opcache/Optimizer/sccp.c
+++ b/ext/opcache/Optimizer/sccp.c
@@ -585,7 +585,7 @@ static inline int ct_eval_in_array(zval *result, uint32_t extended_value, zval *
 static inline int ct_eval_func_call(
 		zval *result, zend_string *name, uint32_t num_args, zval **args) {
 	uint32_t i;
-	zend_execute_data *execute_data;
+	zend_execute_data *execute_data, *prev_execute_data;
 	zend_function *func;
 	int overflow;
 
@@ -840,6 +840,9 @@ static inline int ct_eval_func_call(
 
 	execute_data = safe_emalloc(num_args, sizeof(zval), ZEND_CALL_FRAME_SLOT * sizeof(zval));
 	memset(execute_data, 0, sizeof(zend_execute_data));
+	prev_execute_data = EG(current_execute_data);
+	EG(current_execute_data) = execute_data;
+
 	EX(func) = func;
 	EX_NUM_ARGS() = num_args;
 	for (i = 0; i < num_args; i++) {
@@ -850,6 +853,7 @@ static inline int ct_eval_func_call(
 		zval_ptr_dtor_nogc(EX_VAR_NUM(i));
 	}
 	efree(execute_data);
+	EG(current_execute_data) = prev_execute_data;
 	return SUCCESS;
 }
 
diff --git a/ext/opcache/tests/bug77092.phpt b/ext/opcache/tests/bug77092.phpt
new file mode 100644
index 0000000000..9e64c50e77
--- /dev/null
+++ b/ext/opcache/tests/bug77092.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #77092: array_diff_key() - segmentation fault
+--INI--
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function test() {
+    $anyArrayOne = ['foo' => 'bar', 'bar' => 'baz'];
+    $anyArrayTwo = ['foo' => null];
+
+    print_r(array_diff_key($anyArrayOne, $anyArrayTwo));
+}
+test();
+?>
+--EXPECT--
+Array
+(
+    [bar] => baz
+)