From: Stanislav Malyshev Date: Thu, 8 Mar 2007 21:06:54 +0000 (+0000) Subject: MFB: fix crash on $x['x']['y'] += 1, patch by Brian Shire X-Git-Tag: RELEASE_1_0_1~67 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d3b90533fc91ab4ffbb92c8d4e6afa5e735bea76;p=php MFB: fix crash on $x['x']['y'] += 1, patch by Brian Shire --- diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 575c48067f..0c8edd28e5 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -408,11 +408,11 @@ ZEND_VM_HELPER_EX(zend_binary_assign_op_helper, VAR|UNUSED|CV, CONST|TMP|VAR|UNU case ZEND_ASSIGN_DIM: { zval **object_ptr = GET_OP1_OBJ_ZVAL_PTR_PTR(BP_VAR_W); - if (OP1_TYPE != IS_CV && !OP1_FREE) { + if (object_ptr && OP1_TYPE != IS_CV && !OP1_FREE) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { ZEND_VM_DISPATCH_TO_HELPER_EX(zend_binary_assign_op_obj_helper, binary_op, binary_op); } else { zend_op *op_data = opline+1; diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index a5bb4c3976..ea117d9eff 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -8886,11 +8886,11 @@ static int zend_binary_assign_op_helper_SPEC_VAR_CONST(int (*binary_op)(zval *re case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_CONST(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -10424,11 +10424,11 @@ static int zend_binary_assign_op_helper_SPEC_VAR_TMP(int (*binary_op)(zval *resu case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_TMP(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -11966,11 +11966,11 @@ static int zend_binary_assign_op_helper_SPEC_VAR_VAR(int (*binary_op)(zval *resu case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_VAR(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -13312,11 +13312,11 @@ static int zend_binary_assign_op_helper_SPEC_VAR_UNUSED(int (*binary_op)(zval *r case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_UNUSED(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -13982,11 +13982,11 @@ static int zend_binary_assign_op_helper_SPEC_VAR_CV(int (*binary_op)(zval *resul case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_CV(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -15402,11 +15402,11 @@ static int zend_binary_assign_op_helper_SPEC_UNUSED_CONST(int (*binary_op)(zval case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_CONST(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -16460,11 +16460,11 @@ static int zend_binary_assign_op_helper_SPEC_UNUSED_TMP(int (*binary_op)(zval *r case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_TMP(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -17477,11 +17477,11 @@ static int zend_binary_assign_op_helper_SPEC_UNUSED_VAR(int (*binary_op)(zval *r case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_VAR(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -18494,11 +18494,11 @@ static int zend_binary_assign_op_helper_SPEC_UNUSED_UNUSED(int (*binary_op)(zval case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_UNUSED(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -18760,11 +18760,11 @@ static int zend_binary_assign_op_helper_SPEC_UNUSED_CV(int (*binary_op)(zval *re case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -21332,11 +21332,11 @@ static int zend_binary_assign_op_helper_SPEC_CV_CONST(int (*binary_op)(zval *res case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_CONST(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -22862,11 +22862,11 @@ static int zend_binary_assign_op_helper_SPEC_CV_TMP(int (*binary_op)(zval *resul case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_TMP(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -24396,11 +24396,11 @@ static int zend_binary_assign_op_helper_SPEC_CV_VAR(int (*binary_op)(zval *resul case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_VAR(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -25733,11 +25733,11 @@ static int zend_binary_assign_op_helper_SPEC_CV_UNUSED(int (*binary_op)(zval *re case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_UNUSED(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -26402,11 +26402,11 @@ static int zend_binary_assign_op_helper_SPEC_CV_CV(int (*binary_op)(zval *result case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_CV(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1;