From: Dmitry Stogov Date: Mon, 1 Jun 2015 08:40:14 +0000 (+0300) Subject: Fixed bug #69732 (can induce segmentation fault with basic php code). X-Git-Tag: php-5.5.27RC1~21 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9031a902e3393ff7dc8a02615430a7d894c740fa;p=php Fixed bug #69732 (can induce segmentation fault with basic php code). --- diff --git a/NEWS b/NEWS index 9e455df7c1..0463d11dcb 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,8 @@ (Christoph M. Becker) . Fixed bug #69703 (Use __builtin_clzl on PowerPC). (dja at axtens dot net, Kalle) + . Fixed bug #69732 (can induce segmentation fault with basic php code). + (Dmitry) - GD: . Fixed bug #69479 (GD fails to build with newer libvpx). (Remi) diff --git a/Zend/tests/bug69732.phpt b/Zend/tests/bug69732.phpt new file mode 100644 index 0000000000..2ea5e58bc9 --- /dev/null +++ b/Zend/tests/bug69732.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #69732 (can induce segmentation fault with basic php code) +--FILE-- +$name . "XXX"; + } +} + +function ret_assoc() { + $x = "XXX"; + return array('foo' => 'bar', $x); +} + +$wpq = new wpq; +$wpq->interesting =& ret_assoc(); +$x = $wpq->interesting; +printf("%s\n", $x); +--EXPECTF-- +Notice: Undefined property: wpq::$interesting in %sbug69732.php on line 6 + +Notice: Indirect modification of overloaded property wpq::$interesting has no effect in %sbug69732.php on line 16 + +Strict Standards: Only variables should be assigned by reference in %sbug69732.php on line 16 + +Notice: Undefined property: wpq::$interesting in %sbug69732.php on line 6 +XXX diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 040ab74db0..94b65e4939 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1762,7 +1762,9 @@ ZEND_VM_HANDLER(38, ZEND_ASSIGN, VAR|CV, CONST|TMP|VAR|CV) } } - FREE_OP1_VAR_PTR(); + if (OP1_TYPE == IS_VAR && OP1_FREE) { + zval_ptr_dtor(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ FREE_OP2_IF_VAR(); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 6ab02321d5..0b2b24c46e 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -15307,7 +15307,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER } } - if (free_op1.var) {zval_ptr_dtor(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ @@ -17662,7 +17664,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_A } } - if (free_op1.var) {zval_ptr_dtor(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ @@ -19923,7 +19927,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_A } } - if (free_op1.var) {zval_ptr_dtor(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ if (free_op2.var) {zval_ptr_dtor(&free_op2.var);}; @@ -23395,7 +23401,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_AR } } - if (free_op1.var) {zval_ptr_dtor(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ @@ -32828,6 +32836,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ CHECK_EXCEPTION(); @@ -34948,6 +34960,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_AR } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ CHECK_EXCEPTION(); @@ -37071,6 +37087,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_AR } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ if (free_op2.var) {zval_ptr_dtor(&free_op2.var);}; @@ -40256,6 +40276,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARG } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ CHECK_EXCEPTION();