From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 14 Aug 2017 09:11:25 +0000 (+0300)
Subject: Fixed attempt to free invalid structure (result of ROPE_INIT is not a zval)
X-Git-Tag: php-7.2.0beta3~13
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cd6893aed11d3368eaf10a0676031ee2608c7559;p=php

Fixed attempt to free invalid structure (result of ROPE_INIT is not a zval)
---

diff --git a/Zend/tests/temporary_cleaning_015.phpt b/Zend/tests/temporary_cleaning_015.phpt
new file mode 100644
index 0000000000..7690abba76
--- /dev/null
+++ b/Zend/tests/temporary_cleaning_015.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Attempt to free invalid structure (result of ROPE_INIT is not a zval)
+--FILE--
+<?php
+set_error_handler(function () {
+	throw new Exception();
+});
+$a = [];
+$b = "";
+try {
+	 echo "$a$b\n";
+} catch (Exception $ex) {
+}
+?>
+DONE
+--EXPECT--
+DONE
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index f8538e02c4..1c3668088e 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7080,6 +7080,7 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
 	if (throw_op->result_type & (IS_VAR | IS_TMP_VAR)) {
 		switch (throw_op->opcode) {
 			case ZEND_ADD_ARRAY_ELEMENT:
+			case ZEND_ROPE_INIT:
 			case ZEND_ROPE_ADD:
 				break; /* exception while building structures, live range handling will free those */
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 4ca3fa4819..6b83684b7f 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1776,6 +1776,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(
 	if (throw_op->result_type & (IS_VAR | IS_TMP_VAR)) {
 		switch (throw_op->opcode) {
 			case ZEND_ADD_ARRAY_ELEMENT:
+			case ZEND_ROPE_INIT:
 			case ZEND_ROPE_ADD:
 				break; /* exception while building structures, live range handling will free those */