From: Nikita Popov <nikic@php.net>
Date: Tue, 12 Apr 2016 12:39:05 +0000 (+0200)
Subject: Fix ZEND_SEPARATE for by-val func returning ref zval
X-Git-Tag: php-7.0.7RC1~116^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4e585eb42941cead2a1a3f9824c84d03af621391;p=php

Fix ZEND_SEPARATE for by-val func returning ref zval
---

diff --git a/Zend/tests/modify_isref_value_return.phpt b/Zend/tests/modify_isref_value_return.phpt
new file mode 100644
index 0000000000..1b3122711e
--- /dev/null
+++ b/Zend/tests/modify_isref_value_return.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Indirect modification of isref by-value return value not possible
+--FILE--
+<?php
+
+class A {
+    public $b;
+}
+
+$arr = [];
+
+$a = new A;
+$a->b =& $arr;
+
+(new ReflectionProperty('A', 'b'))->getValue($a)[] = 42;
+
+var_dump($a);
+
+?>
+--EXPECT--
+object(A)#1 (1) {
+  ["b"]=>
+  &array(0) {
+  }
+}
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index cabebe4ec2..05b6a9c8bf 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7301,6 +7301,9 @@ ZEND_VM_HANDLER(156, ZEND_SEPARATE, VAR, UNUSED)
 	if (UNEXPECTED(Z_ISREF_P(var_ptr))) {
 		if (UNEXPECTED(Z_REFCOUNT_P(var_ptr) == 1)) {
 			ZVAL_UNREF(var_ptr);
+		} else if (!(Z_VAR_FLAGS_P(var_ptr) & IS_VAR_RET_REF)) {
+			Z_DELREF_P(var_ptr);
+			ZVAL_COPY(var_ptr, Z_REFVAL_P(var_ptr));
 		}
 	}
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index b7f0e3c5ae..9f17756315 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -19509,6 +19509,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_SEPARATE_SPEC_VAR_UNUSED_HANDL
 	if (UNEXPECTED(Z_ISREF_P(var_ptr))) {
 		if (UNEXPECTED(Z_REFCOUNT_P(var_ptr) == 1)) {
 			ZVAL_UNREF(var_ptr);
+		} else if (!(Z_VAR_FLAGS_P(var_ptr) & IS_VAR_RET_REF)) {
+			Z_DELREF_P(var_ptr);
+			ZVAL_COPY(var_ptr, Z_REFVAL_P(var_ptr));
 		}
 	}