From 43ebb86806501e2d84e075abc6da5b6a1a38db74 Mon Sep 17 00:00:00 2001
From: Zeev Suraski <zeev@php.net>
Date: Mon, 16 Jul 2001 15:48:31 +0000
Subject: [PATCH] Fix bug #10287 - avoid crashing under a bogus usage of list()

---
 Zend/zend_API.h       |  6 ++++--
 Zend/zend_compile.c   | 15 +++++++++++++++
 Zend/zend_globals.h   |  1 +
 Zend/zend_variables.c |  4 ++--
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index 6a44d0817b..244669f9c8 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -243,9 +243,12 @@ ZEND_API int zend_set_hash_symbol(zval *symbol, char *name, int name_length,
 
 #if ZEND_DEBUG
 #define CHECK_ZVAL_STRING(z) \
-if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s)",(z)->value.str.val);
+	if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s)", (z)->value.str.val);
+#define CHECK_ZVAL_STRING_REL(z) \
+	if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", (z)->value.str.val ZEND_FILE_LINE_RELAY_CC);
 #else
 #define CHECK_ZVAL_STRING(z)
+#define CHECK_ZVAL_STRING_REL(z)
 #endif
 
 #define ZVAL_RESOURCE(z,l) {			\
@@ -284,7 +287,6 @@ if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "Str
 		(z)->value.str.len = __l;	    \
 		(z)->value.str.val = (duplicate?estrndup(__s,__l):__s);	\
 		(z)->type = IS_STRING;		    \
-		CHECK_ZVAL_STRING(z); 			\
 	}
 
 #define ZVAL_EMPTY_STRING(z) {	        \
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 6514355b66..149e02bf4d 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -77,6 +77,7 @@ void zend_init_compiler_data_structures(CLS_D)
 	CG(active_ce_parent_class_name).value.str.val = NULL;
 	zend_llist_init(&CG(list_llist), sizeof(list_llist_element), NULL, 0);
 	zend_llist_init(&CG(dimension_llist), sizeof(int), NULL, 0);
+	zend_stack_init(&CG(list_stack));
 	CG(handle_op_arrays) = 1;
 	CG(in_compilation) = 0;
 	init_compiler_declarables(CLS_C);
@@ -101,6 +102,7 @@ void shutdown_compiler(CLS_D)
 	zend_stack_destroy(&CG(foreach_copy_stack));
 	zend_stack_destroy(&CG(object_stack));
 	zend_stack_destroy(&CG(declare_stack));
+	zend_stack_destroy(&CG(list_stack));
 	zend_hash_destroy(&CG(filenames_table));
 	zend_llist_destroy(&CG(open_files));
 }
@@ -1853,6 +1855,8 @@ void zend_do_new_list_end(CLS_D)
 
 void zend_do_list_init(CLS_D)
 {
+	zend_stack_push(&CG(list_stack), &CG(list_llist), sizeof(zend_llist));
+	zend_stack_push(&CG(list_stack), &CG(dimension_llist), sizeof(zend_llist));
 	zend_llist_init(&CG(list_llist), sizeof(list_llist_element), NULL, 0);
 	zend_llist_init(&CG(dimension_llist), sizeof(int), NULL, 0);
 	zend_do_new_list_begin(CLS_C);
@@ -1911,6 +1915,17 @@ void zend_do_list_end(znode *result, znode *expr CLS_DC)
 	zend_llist_destroy(&CG(dimension_llist));
 	zend_llist_destroy(&CG(list_llist));
 	*result = *expr;
+	{
+		zend_llist *p;
+
+		/* restore previous lists */
+		zend_stack_top(&CG(list_stack), (void **) &p);
+		CG(dimension_llist) = *p;
+		zend_stack_del_top(&CG(list_stack));
+		zend_stack_top(&CG(list_stack), (void **) &p);
+		CG(list_llist) = *p;
+		zend_stack_del_top(&CG(list_stack));
+	}
 }
 
 
diff --git a/Zend/zend_globals.h b/Zend/zend_globals.h
index fd6573ef23..ce0f67e991 100644
--- a/Zend/zend_globals.h
+++ b/Zend/zend_globals.h
@@ -78,6 +78,7 @@ struct _zend_compiler_globals {
 	/* variables for list() compilation */
 	zend_llist list_llist;
 	zend_llist dimension_llist;
+	zend_stack list_stack;
 
 	zend_stack function_call_stack;
 
diff --git a/Zend/zend_variables.c b/Zend/zend_variables.c
index 260fb14321..cbcacc8f6c 100644
--- a/Zend/zend_variables.c
+++ b/Zend/zend_variables.c
@@ -40,7 +40,7 @@ ZEND_API void _zval_dtor(zval *zvalue ZEND_FILE_LINE_DC)
 	switch(zvalue->type) {
 		case IS_STRING:
 		case IS_CONSTANT:
-			CHECK_ZVAL_STRING(zvalue);
+			CHECK_ZVAL_STRING_REL(zvalue);
 			STR_FREE_REL(zvalue->value.str.val);
 			break;
 		case IS_ARRAY:
@@ -96,7 +96,7 @@ ZEND_API int _zval_copy_ctor(zval *zvalue ZEND_FILE_LINE_DC)
 					return SUCCESS;
 				}
 			}
-			CHECK_ZVAL_STRING(zvalue);
+			CHECK_ZVAL_STRING_REL(zvalue);
 			zvalue->value.str.val = (char *) estrndup_rel(zvalue->value.str.val, zvalue->value.str.len);
 			break;
 		case IS_ARRAY:
-- 
2.50.1