From 239e69375139ad83c5132f818794718632f180b3 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 1 Dec 2004 14:01:58 +0000
Subject: [PATCH] Fixed bug #29883 (isset gives invalid values on strings).

---
 NEWS                     |  1 +
 Zend/tests/bug29883.phpt | 13 +++++++++++++
 Zend/zend_execute.c      | 12 ++++++++++--
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/bug29883.phpt

diff --git a/NEWS b/NEWS
index 87066aedeb..b8ba25bd15 100644
--- a/NEWS
+++ b/NEWS
@@ -59,6 +59,7 @@ PHP                                                                        NEWS
 - Fixed bug #30027 (Possible crash inside ftp_get()).
   (cfield at affinitysolutions dot com)
 - Fixed bug #29954 (array_reduce segfaults when initial value is array). (Tony)
+- Fixed bug #29883 (isset gives invalid values on strings). (Tony, Dmitry)
 - Fixed bug #29801 (Set limit on the size of mmapable data). (Ilia)
 - Fixed bug #29557 (strtotime error). (Derick)
 - Fixed bug #29418 (double free when openssl_csr_new fails).
diff --git a/Zend/tests/bug29883.phpt b/Zend/tests/bug29883.phpt
new file mode 100644
index 0000000000..c92f147ff7
--- /dev/null
+++ b/Zend/tests/bug29883.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #29883 (isset gives invalid values on strings)
+--FILE--
+<?php
+$x = "bug";
+var_dump(isset($x[-1]));
+var_dump(isset($x["1"]));
+echo $x["1"]."\n";
+?>
+--EXPECT--
+bool(false)
+bool(true)
+u
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index f84a77ba92..5328ec18ab 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -4033,14 +4033,22 @@ static int zend_isset_isempty_dim_prop_obj_handler(int prop_dim, ZEND_OPCODE_HAN
 				result = Z_OBJ_HT_P(*container)->has_dimension(*container, offset, (opline->extended_value == ZEND_ISEMPTY) TSRMLS_CC);
 			}
 		} else if ((*container)->type == IS_STRING) { /* string offsets */
+			zval tmp_offset;
+
+			if (Z_TYPE_P(offset) != IS_LONG) {
+				tmp_offset = *offset;
+				zval_copy_ctor(&tmp_offset);
+				convert_to_long(&tmp_offset);
+				offset = &tmp_offset;
+			}
 			switch (opline->extended_value) {
 				case ZEND_ISSET:
-					if (offset->value.lval < Z_STRLEN_PP(container)) {
+					if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) {
 						result = 1;
 					}
 					break;
 				case ZEND_ISEMPTY:
-					if (offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') {
+					if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') {
 						result = 1;
 					}
 					break;
-- 
2.40.0