From 32294a25c84106e3f34c64137acfecbe3e16aef2 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Tue, 29 Mar 2016 19:07:14 +0200
Subject: [PATCH] Fixed bug #62814

---
 NEWS                     |  4 +++-
 Zend/tests/bug62814.phpt | 20 ++++++++++++++++++++
 Zend/zend_inheritance.c  | 18 +++++++++---------
 3 files changed, 32 insertions(+), 10 deletions(-)
 create mode 100644 Zend/tests/bug62814.phpt

diff --git a/NEWS b/NEWS
index 604cf485dd..f677f0a0d3 100644
--- a/NEWS
+++ b/NEWS
@@ -4,8 +4,10 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed bug #62210 (Exceptions can leak temporary variables). (Dmitry, Bob)
+  . Fixed bug #62814 (It is possible to stiffen child class members visibility).
+    (Nikita)
   . Fixed bug #69989 (Generators don't participate in cycle GC). (Nikita)
-  . Fixed buf #71572 (String offset assignment from an empty string inserts
+  . Fixed bug #71572 (String offset assignment from an empty string inserts
     null byte). (Francois)
   . Implemented the RFC `Support Class Constant Visibility`. (Sean DuBois,
     Reeze Xia, Dmitry)
diff --git a/Zend/tests/bug62814.phpt b/Zend/tests/bug62814.phpt
new file mode 100644
index 0000000000..6646aa283f
--- /dev/null
+++ b/Zend/tests/bug62814.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #62814: It is possible to stiffen child class members visibility
+--FILE--
+<?php
+
+class A {
+    private function test() { }
+}
+
+class B extends A {
+    protected function test() { }
+}
+
+class C extends B {
+    private function test() { }
+}
+
+?>
+--EXPECTF--
+Fatal error: Access level to C::test() must be protected (as in class B) or weaker in %s on line %d
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index 1f74000a47..1243552d59 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -546,17 +546,17 @@ static void do_inheritance_check_on_method(zend_function *child, zend_function *
 		zend_error_noreturn(E_COMPILE_ERROR, "Cannot make non abstract method %s::%s() abstract in class %s", ZEND_FN_SCOPE_NAME(parent), ZSTR_VAL(child->common.function_name), ZEND_FN_SCOPE_NAME(child));
 	}
 
+	/* Prevent derived classes from restricting access that was available in parent classes */
+	if (UNEXPECTED((child_flags & ZEND_ACC_PPP_MASK) > (parent_flags & ZEND_ACC_PPP_MASK))) {
+		zend_error_noreturn(E_COMPILE_ERROR, "Access level to %s::%s() must be %s (as in class %s)%s", ZEND_FN_SCOPE_NAME(child), ZSTR_VAL(child->common.function_name), zend_visibility_string(parent_flags), ZEND_FN_SCOPE_NAME(parent), (parent_flags&ZEND_ACC_PUBLIC) ? "" : " or weaker");
+	}
+
+	if (((child_flags & ZEND_ACC_PPP_MASK) < (parent_flags & ZEND_ACC_PPP_MASK))
+		&& ((parent_flags & ZEND_ACC_PPP_MASK) & ZEND_ACC_PRIVATE)) {
+		child->common.fn_flags |= ZEND_ACC_CHANGED;
+	}
 	if (parent_flags & ZEND_ACC_CHANGED) {
 		child->common.fn_flags |= ZEND_ACC_CHANGED;
-	} else {
-		/* Prevent derived classes from restricting access that was available in parent classes
-		 */
-		if (UNEXPECTED((child_flags & ZEND_ACC_PPP_MASK) > (parent_flags & ZEND_ACC_PPP_MASK))) {
-			zend_error_noreturn(E_COMPILE_ERROR, "Access level to %s::%s() must be %s (as in class %s)%s", ZEND_FN_SCOPE_NAME(child), ZSTR_VAL(child->common.function_name), zend_visibility_string(parent_flags), ZEND_FN_SCOPE_NAME(parent), (parent_flags&ZEND_ACC_PUBLIC) ? "" : " or weaker");
-		} else if (((child_flags & ZEND_ACC_PPP_MASK) < (parent_flags & ZEND_ACC_PPP_MASK))
-			&& ((parent_flags & ZEND_ACC_PPP_MASK) & ZEND_ACC_PRIVATE)) {
-			child->common.fn_flags |= ZEND_ACC_CHANGED;
-		}
 	}
 
 	if (parent_flags & ZEND_ACC_PRIVATE) {
-- 
2.50.1