From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 23 Jun 2005 11:04:58 +0000 (+0000)
Subject: Fixed bug #32660 (Assignment by reference causes crash when field access is overloade... 
X-Git-Tag: php-5.0.5RC1~131
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=71f96764db7f9be6030b4c1d32eda0f884399a87;p=php

Fixed bug #32660 (Assignment by reference causes crash when field access is overloaded (__get))
---

diff --git a/NEWS b/NEWS
index bb0c5de691..8b13956897 100644
--- a/NEWS
+++ b/NEWS
@@ -85,6 +85,8 @@ PHP                                                                        NEWS
 - Fixed bug #32682 (ext/mssql: Error on module shutdown when called from
   activescript). (Frank)
 - Fixed bug #32674 (exception in iterator causes crash). (Dmitry)
+- Fixed bug #32660 (Assignment by reference causes crash when field access is
+  overloaded (__get)). (Dmitry)
 - Fixed bug #32647 (Using register_shutdown_function() with invalid callback
   can crash PHP). (Jani)
 - Fixed bug #32615 (Segfault in replaceChild() using fragment when 
diff --git a/Zend/tests/bug32660.phpt b/Zend/tests/bug32660.phpt
new file mode 100755
index 0000000000..f173b287e1
--- /dev/null
+++ b/Zend/tests/bug32660.phpt
@@ -0,0 +1,36 @@
+--TEST--
+Bug #32660 Assignment by reference causes crash when field access is overloaded (__get) 
+--FILE--
+<?php
+class A
+{
+	public $q;
+
+	function __construct()
+	{
+		$this->q = 3;//array();
+	}
+
+	function __get($name)
+	{
+		return $this->q;
+	}
+}
+
+$a = new A;
+
+$b = "short";
+$c =& $a->whatever;
+$c = "long";
+print_r($a);
+$a->whatever =& $b;
+$b = "much longer";
+print_r($a);
+?>
+--EXPECTF--
+A Object
+(
+    [q] => long
+)
+
+Fatal error: Cannot assign by reference to overloaded object in %sbug32660.php on line 23
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 711f89dd57..de38044c65 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -2261,12 +2261,15 @@ int zend_assign_ref_handler(ZEND_OPCODE_HANDLER_ARGS)
 
 	if (opline->op2.op_type == IS_VAR &&
 	    !(*value_ptr_ptr)->is_ref &&
-	    opline->extended_value == ZEND_RETURNS_FUNCTION && 
-	    !EX_T(opline->op2.u.var).var.fcall_returned_reference) {
+	     opline->extended_value == ZEND_RETURNS_FUNCTION && 
+	     !EX_T(opline->op2.u.var).var.fcall_returned_reference) {
 		PZVAL_LOCK(*value_ptr_ptr); /* undo the effect of get_zval_ptr_ptr() */
 		zend_error(E_STRICT, "Only variables should be assigned by reference");
 		return zend_assign_handler(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
 	}
+	if (opline->op1.op_type == IS_VAR && EX_T(opline->op1.u.var).var.ptr_ptr == &EX_T(opline->op1.u.var).var.ptr) {
+		zend_error(E_ERROR, "Cannot assign by reference to overloaded object");
+	}
 
 	zend_assign_to_variable_reference(&opline->result, get_zval_ptr_ptr(&opline->op1, EX(Ts), BP_VAR_W), value_ptr_ptr, EX(Ts) TSRMLS_CC);