From: Dmitry Stogov Date: Mon, 19 Mar 2007 18:31:30 +0000 (+0000) Subject: Fixed bug #40833 (Crash when using unset() on an ArrayAccess object retrieved via... X-Git-Tag: php-5.2.2RC1~123 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b0a875104eabf24cf2f210655d84b18b01a00791;p=php Fixed bug #40833 (Crash when using unset() on an ArrayAccess object retrieved via __get()) --- diff --git a/NEWS b/NEWS index 4609f7c88d..766c9b44b0 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,8 @@ PHP NEWS - Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre) - Fixed bug #40848 (sorting issue on 64-bit Solaris). (Wez) - Fixed bug #40836 (Segfault in ext/dom). (Rob) +- Fixed bug #40833 (Crash when using unset() on an ArrayAccess object retrieved + via __get()). (Dmitry) - Fixed bug #40815 (using strings like "class::func" and static methods in set_exception_handler() might result in crash). (Tony) - Fixed bug #40805 (Failure executing function ibase_execute()). (Tony) diff --git a/Zend/tests/bug40833.phpt b/Zend/tests/bug40833.phpt new file mode 100755 index 0000000000..c56ca4c3ba --- /dev/null +++ b/Zend/tests/bug40833.phpt @@ -0,0 +1,72 @@ +--TEST-- +Bug #40833 (Crash when using unset() on an ArrayAccess object retrieved via __get) +--FILE-- +data[$name]) ) + return $this->data[$name]; + else + return $this->data[$name] = new set($this); + } + + function __set($name, $value) + { + $this->modified[$name] = $value; + } + } + + class set implements ArrayAccess + { + private $entity; + + function __construct($entity) + { + $this->entity = $entity; + $this->entity->whatever = $this; + } + + function clear() { + $this->entity->whatever = null; + } + + function offsetUnset($offset) + { + $this->clear(); +// $this->entity->{$this->name} = null; + } + + function offsetSet($offset, $value) + { + } + + function offsetGet($offset) + { + return 'Bogus '; + } + + function offsetExists($offset) + { + } + } + + $entity = new entity(); + echo($entity->whatever[0]); + + //This will crash +// $entity->whatever->clear(); + unset($entity->whatever[0]); + + //This will not crash (comment previous & uncomment this to test +// $test = $entity->whatever; unset($test[0]); + + echo($entity->whatever[0]); + echo "ok\n"; +?> +--EXPECT-- +Bogus Bogus ok diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 6bff73987c..bad088a2d7 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1328,7 +1328,7 @@ ZEND_VM_HANDLER(97, ZEND_FETCH_OBJ_UNSET, VAR|UNUSED|CV, CONST|TMP|VAR|CV) if (IS_OP2_TMP_FREE()) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (IS_OP2_TMP_FREE()) { zval_ptr_dtor(&property); } else { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 7ef731e2c7..d64f9f4ee9 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -9185,7 +9185,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -10670,7 +10670,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (1) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (1) { zval_ptr_dtor(&property); } else { @@ -12158,7 +12158,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -14118,7 +14118,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -15358,7 +15358,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_CONST_HANDLER(ZEND_OPCODE_HANDLER_AR if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -16362,7 +16362,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS if (1) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (1) { zval_ptr_dtor(&property); } else { @@ -17326,7 +17326,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -18555,7 +18555,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -21096,7 +21096,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -22573,7 +22573,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (1) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (1) { zval_ptr_dtor(&property); } else { @@ -24053,7 +24053,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else { @@ -26003,7 +26003,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) if (0) { MAKE_REAL_ZVAL_PTR(property); } - zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC); + zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC); if (0) { zval_ptr_dtor(&property); } else {