From 06fe956460f93041abdaf4a12ccde43d317fa20c Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Sat, 14 Nov 2015 18:41:55 -0800
Subject: [PATCH] Fixed Bug #70918 (Segfault using static outside of class
 scope)

---
 Zend/tests/bug70918.phpt | 26 ++++++++++++++++++++++++++
 Zend/zend_vm_def.h       |  4 ++++
 Zend/zend_vm_execute.h   | 12 ++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 Zend/tests/bug70918.phpt

diff --git a/Zend/tests/bug70918.phpt b/Zend/tests/bug70918.phpt
new file mode 100644
index 0000000000..68eaef43a3
--- /dev/null
+++ b/Zend/tests/bug70918.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #70918 (Segfault using static outside of class scope)
+--FILE--
+<?php
+try {
+	static::x;
+} catch (Error $e) {
+	var_dump($e->getMessage());
+}
+
+try {
+	parent::x;
+} catch (Error $e) {
+	var_dump($e->getMessage());
+}
+
+try {
+	self::x;
+} catch (Error $e) {
+	var_dump($e->getMessage());
+}
+?>
+--EXPECT--
+string(52) "Cannot access static:: when no class scope is active"
+string(52) "Cannot access parent:: when no class scope is active"
+string(50) "Cannot access self:: when no class scope is active"
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 093f9f851e..1096296395 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -5180,6 +5180,10 @@ ZEND_VM_HANDLER(181, ZEND_FETCH_CLASS_CONSTANT, VAR|CONST|UNUSED, CONST)
 		} else {
 			if (OP1_TYPE == IS_UNUSED) {
 				ce = zend_fetch_class(NULL, opline->op1.num);
+				if (UNEXPECTED(ce == NULL)) {
+					ZEND_ASSERT(EG(exception));
+					HANDLE_EXCEPTION();
+				}
 			} else {
 				ce = Z_CE_P(EX_VAR(opline->op1.var));
 			}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index a2e63a1a8d..d780218539 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -5841,6 +5841,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FETCH_CLASS_CONSTANT_SPEC_CONS
 		} else {
 			if (IS_CONST == IS_UNUSED) {
 				ce = zend_fetch_class(NULL, opline->op1.num);
+				if (UNEXPECTED(ce == NULL)) {
+					ZEND_ASSERT(EG(exception));
+					HANDLE_EXCEPTION();
+				}
 			} else {
 				ce = Z_CE_P(EX_VAR(opline->op1.var));
 			}
@@ -17507,6 +17511,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FETCH_CLASS_CONSTANT_SPEC_VAR_
 		} else {
 			if (IS_VAR == IS_UNUSED) {
 				ce = zend_fetch_class(NULL, opline->op1.num);
+				if (UNEXPECTED(ce == NULL)) {
+					ZEND_ASSERT(EG(exception));
+					HANDLE_EXCEPTION();
+				}
 			} else {
 				ce = Z_CE_P(EX_VAR(opline->op1.var));
 			}
@@ -23906,6 +23914,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FETCH_CLASS_CONSTANT_SPEC_UNUS
 		} else {
 			if (IS_UNUSED == IS_UNUSED) {
 				ce = zend_fetch_class(NULL, opline->op1.num);
+				if (UNEXPECTED(ce == NULL)) {
+					ZEND_ASSERT(EG(exception));
+					HANDLE_EXCEPTION();
+				}
 			} else {
 				ce = Z_CE_P(EX_VAR(opline->op1.var));
 			}
-- 
2.40.0