From: Nikita Popov <nikic@php.net>
Date: Wed, 28 Sep 2016 19:31:06 +0000 (+0200)
Subject: Fix segfault when empty entry in keyed array assignment
X-Git-Tag: php-7.1.0RC3~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6f9e5684a1b1a52b0a14c531c275a8f009d5d293;p=php

Fix segfault when empty entry in keyed array assignment
---

diff --git a/Zend/tests/list_empty_error_keyed.phpt b/Zend/tests/list_empty_error_keyed.phpt
new file mode 100644
index 0000000000..f363d244f9
--- /dev/null
+++ b/Zend/tests/list_empty_error_keyed.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Cannot use empty elements in keyed array destructuring
+--FILE--
+<?php
+
+$array = ['a' => 1, 'b' => 2];
+['a' => $a, , 'b' => $b] = $array;
+
+?>
+--EXPECTF--
+Fatal error: Cannot use empty array entries in keyed array assignment in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 4978c6c1c9..1501acec1e 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -2853,15 +2853,20 @@ static void zend_compile_keyed_list_assign(zend_ast_list *list, znode *expr_node
 	uint32_t i;
 
 	for (i = 0; i < list->children; ++i) {
-		zend_ast *pair_ast = list->child[i];
-		zend_ast *var_ast = pair_ast->child[0];
-		zend_ast *key_ast = pair_ast->child[1];
+		zend_ast *elem_ast = list->child[i];
+		zend_ast *var_ast, *key_ast;
 		znode fetch_result, dim_node;
 
-		if (pair_ast->attr) {
+		if (elem_ast == NULL) {
+			zend_error(E_COMPILE_ERROR, "Cannot use empty array entries in keyed array assignment");
+		}
+		if (elem_ast->attr) {
 			zend_error(E_COMPILE_ERROR, "[] and list() assignments cannot be by reference");
 		}
 
+		var_ast = elem_ast->child[0];
+		key_ast = elem_ast->child[1];
+
 		if (key_ast == NULL) {
 			zend_error(E_COMPILE_ERROR, "Cannot mix keyed and unkeyed array entries in assignments");
 		}
@@ -2872,10 +2877,6 @@ static void zend_compile_keyed_list_assign(zend_ast_list *list, znode *expr_node
 			Z_TRY_ADDREF(expr_node->u.constant);
 		}
 
-		if (var_ast == NULL) {
-			zend_error(E_COMPILE_ERROR, "Cannot use empty array entries in keyed array");
-		}
-
 		zend_verify_list_assign_target(var_ast, old_style);
 
 		zend_emit_op(&fetch_result, ZEND_FETCH_LIST, expr_node, &dim_node);