From 3ce6ad9d1348f9603dfa59c4aa6f3135333f34b2 Mon Sep 17 00:00:00 2001 From: Bob Weinand Date: Thu, 18 Feb 2016 13:53:15 +0100 Subject: [PATCH] Fixed bug #71622 (Strings used in pass-as-reference cannot be used to invoke C::$callable()) --- NEWS | 6 +++++- Zend/tests/bug71622.phpt | 30 ++++++++++++++++++++++++++++++ Zend/zend_vm_def.h | 3 +++ Zend/zend_vm_execute.h | 24 ++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/bug71622.phpt diff --git a/NEWS b/NEWS index a1854d03bb..24c7288ebd 100644 --- a/NEWS +++ b/NEWS @@ -2,10 +2,14 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2016 PHP 7.0.5 +- Core: + . Fixed bug #71622 (Strings used in pass-as-reference cannot be used to + invoke C::$callable()). (Bob) + - phpdbg: . Fixed crash when advancing (except step) inside an internal function. (Bob) -?? ??? 2016 PHP 7.0.4 +?? Mar 2016 PHP 7.0.4 - Core: . Fixed bug (Low probability segfault in zend_arena). (Laruence) diff --git a/Zend/tests/bug71622.phpt b/Zend/tests/bug71622.phpt new file mode 100644 index 0000000000..3ef0ba80e1 --- /dev/null +++ b/Zend/tests/bug71622.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #71622 (Strings used in pass-as-reference cannot be used to invoke C::$callable()) +--FILE-- + +--EXPECT-- +bool(true) +success diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index ad6e17a158..ed7e180818 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -3052,6 +3052,9 @@ ZEND_VM_HANDLER(113, ZEND_INIT_STATIC_METHOD_CALL, CONST|VAR, CONST|TMPVAR|UNUSE function_name = GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R); if (OP2_TYPE != IS_CONST) { + if (OP2_TYPE & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if (OP2_TYPE == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 525e3c1f9d..78cf48fa6c 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -5646,6 +5646,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_C function_name = EX_CONSTANT(opline->op2); if (IS_CONST != IS_CONST) { + if (IS_CONST & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); @@ -7627,6 +7630,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_C function_name = NULL; if (IS_UNUSED != IS_CONST) { + if (IS_UNUSED & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if (IS_UNUSED == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); @@ -9370,6 +9376,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_C function_name = _get_zval_ptr_cv_undef(execute_data, opline->op2.var); if (IS_CV != IS_CONST) { + if (IS_CV & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); @@ -11178,6 +11187,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_C function_name = _get_zval_ptr_var(opline->op2.var, execute_data, &free_op2); if ((IS_TMP_VAR|IS_VAR) != IS_CONST) { + if ((IS_TMP_VAR|IS_VAR) & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if ((IS_TMP_VAR|IS_VAR) == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); @@ -17515,6 +17527,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_V function_name = EX_CONSTANT(opline->op2); if (IS_CONST != IS_CONST) { + if (IS_CONST & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); @@ -19143,6 +19158,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_V function_name = NULL; if (IS_UNUSED != IS_CONST) { + if (IS_UNUSED & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if (IS_UNUSED == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); @@ -20764,6 +20782,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_V function_name = _get_zval_ptr_cv_undef(execute_data, opline->op2.var); if (IS_CV != IS_CONST) { + if (IS_CV & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); @@ -22334,6 +22355,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_STATIC_METHOD_CALL_SPEC_V function_name = _get_zval_ptr_var(opline->op2.var, execute_data, &free_op2); if ((IS_TMP_VAR|IS_VAR) != IS_CONST) { + if ((IS_TMP_VAR|IS_VAR) & (IS_VAR|IS_CV)) { + ZVAL_DEREF(function_name); + } if (UNEXPECTED(Z_TYPE_P(function_name) != IS_STRING)) { if ((IS_TMP_VAR|IS_VAR) == IS_CV && UNEXPECTED(Z_TYPE_P(function_name) == IS_UNDEF)) { GET_OP2_UNDEF_CV(function_name, BP_VAR_R); -- 2.40.0