From 16a2b47394a3f8c3d7c2b8eaba59da0e4beca171 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Thu, 7 Jan 2016 07:05:17 -0800
Subject: [PATCH] Fixed bug #71300 (Segfault in zend_fetch_string_offset)

---
 NEWS                     |  1 +
 Zend/tests/bug71300.phpt | 28 ++++++++++++++++++++++++++++
 Zend/zend_compile.c      | 10 +++++++---
 3 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/bug71300.phpt

diff --git a/NEWS b/NEWS
index d33a8fdc4f..b5f5a32b46 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.3
 
 - Core:
+  . Fixed bug #71300 (Segfault in zend_fetch_string_offset). (Laruence)
   . Fixed bug #71221 (Null pointer deref (segfault) in get_defined_vars via
     ob_start). (hugh at allthethings dot co dot nz)
   . Fixed bug #71201 (round() segfault on 64-bit builds). (Anatol)
diff --git a/Zend/tests/bug71300.phpt b/Zend/tests/bug71300.phpt
new file mode 100644
index 0000000000..3589c4764e
--- /dev/null
+++ b/Zend/tests/bug71300.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #71300 (Segfault in zend_fetch_string_offset)
+--FILE--
+<?php
+function test1() {
+	for ($n = 'a'; $n < 'g'; $n++) {
+		$$n = 1;
+	}
+	$$n = $$n[++$n] = "test";
+	return $$n;
+}
+
+var_dump(test1());
+
+function test2() {
+    /* See #71303 for why not using for loop here */
+	$n = "a";
+	$$n .= $$n[++$n] = "test";
+	return $$n;
+}
+
+var_dump(test2());
+?>
+--EXPECTF--
+string(4) "test"
+
+Notice: Array to string conversion in %sbug71300.php on line %d
+string(9) "Arraytest"
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 44ae08d409..1c30b98a9f 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -1999,7 +1999,7 @@ static zend_op *zend_delayed_compile_end(uint32_t offset) /* {{{ */
 	zend_op *opline = NULL, *oplines = zend_stack_base(&CG(delayed_oplines_stack));
 	uint32_t i, count = zend_stack_count(&CG(delayed_oplines_stack));
 
-	ZEND_ASSERT(count > offset);
+	ZEND_ASSERT(count >= offset);
 	for (i = offset; i < count; ++i) {
 		opline = get_next_op(CG(active_op_array));
 		memcpy(opline, &oplines[i], sizeof(zend_op));
@@ -2535,8 +2535,10 @@ void zend_compile_assign(znode *result, zend_ast *ast) /* {{{ */
 	switch (var_ast->kind) {
 		case ZEND_AST_VAR:
 		case ZEND_AST_STATIC_PROP:
-			zend_compile_var(&var_node, var_ast, BP_VAR_W);
+			offset = zend_delayed_compile_begin();
+			zend_delayed_compile_var(&var_node, var_ast, BP_VAR_W);
 			zend_compile_expr(&expr_node, expr_ast);
+			zend_delayed_compile_end(offset);
 			zend_emit_op(result, ZEND_ASSIGN, &var_node, &expr_node);
 			return;
 		case ZEND_AST_DIM:
@@ -2634,8 +2636,10 @@ void zend_compile_compound_assign(znode *result, zend_ast *ast) /* {{{ */
 	switch (var_ast->kind) {
 		case ZEND_AST_VAR:
 		case ZEND_AST_STATIC_PROP:
-			zend_compile_var(&var_node, var_ast, BP_VAR_RW);
+			offset = zend_delayed_compile_begin();
+			zend_delayed_compile_var(&var_node, var_ast, BP_VAR_RW);
 			zend_compile_expr(&expr_node, expr_ast);
+			zend_delayed_compile_end(offset);
 			zend_emit_op(result, opcode, &var_node, &expr_node);
 			return;
 		case ZEND_AST_DIM:
-- 
2.40.0