From 6a9d934b2ccde3e10d9a6cdf5927b539a937f1b0 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 7 Jul 2020 10:27:22 +0200
Subject: [PATCH] Fixed bug #79779

ASSIGN_OBJ_REF was not handling in zend_wrong_string_offset.
---
 NEWS                     |  2 ++
 Zend/tests/bug79779.phpt | 12 ++++++++++++
 Zend/zend_execute.c      | 27 ++++++++++++---------------
 3 files changed, 26 insertions(+), 15 deletions(-)
 create mode 100644 Zend/tests/bug79779.phpt

diff --git a/NEWS b/NEWS
index 5ea88655fa..c92d285a5a 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,8 @@ PHP                                                                        NEWS
   . Fixed bug #79783 (Segfault in php_str_replace_common). (Nikita)
   . Fixed bug #79778 (Assertion failure if dumping closure with unresolved
     static variable). (Nikita)
+  . Fixed bug #79779 (Assertion failure when assigning property of string
+    offset by reference). (Nikita)
 
 - Fileinfo:
   . Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb)
diff --git a/Zend/tests/bug79779.phpt b/Zend/tests/bug79779.phpt
new file mode 100644
index 0000000000..fe11ed76cc
--- /dev/null
+++ b/Zend/tests/bug79779.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #79779: Assertion failure when assigning property of string offset by reference
+--FILE--
+<?php
+$str = "";
+$str[1]->a = &$b;
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot use string offset as an object in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index cf28635df9..89e6178019 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1446,9 +1446,21 @@ static zend_never_inline ZEND_COLD void zend_wrong_string_offset(EXECUTE_DATA_D)
 			while (opline < end) {
 				if (opline->op1_type == IS_VAR && opline->op1.var == var) {
 					switch (opline->opcode) {
+						case ZEND_FETCH_OBJ_W:
+						case ZEND_FETCH_OBJ_RW:
+						case ZEND_FETCH_OBJ_FUNC_ARG:
+						case ZEND_FETCH_OBJ_UNSET:
+						case ZEND_ASSIGN_OBJ:
 						case ZEND_ASSIGN_OBJ_OP:
+						case ZEND_ASSIGN_OBJ_REF:
 							msg = "Cannot use string offset as an object";
 							break;
+						case ZEND_FETCH_DIM_W:
+						case ZEND_FETCH_DIM_RW:
+						case ZEND_FETCH_DIM_FUNC_ARG:
+						case ZEND_FETCH_DIM_UNSET:
+						case ZEND_FETCH_LIST_W:
+						case ZEND_ASSIGN_DIM:
 						case ZEND_ASSIGN_DIM_OP:
 							msg = "Cannot use string offset as an array";
 							break;
@@ -1466,21 +1478,6 @@ static zend_never_inline ZEND_COLD void zend_wrong_string_offset(EXECUTE_DATA_D)
 						case ZEND_POST_DEC:
 							msg = "Cannot increment/decrement string offsets";
 							break;
-						case ZEND_FETCH_DIM_W:
-						case ZEND_FETCH_DIM_RW:
-						case ZEND_FETCH_DIM_FUNC_ARG:
-						case ZEND_FETCH_DIM_UNSET:
-						case ZEND_FETCH_LIST_W:
-						case ZEND_ASSIGN_DIM:
-							msg = "Cannot use string offset as an array";
-							break;
-						case ZEND_FETCH_OBJ_W:
-						case ZEND_FETCH_OBJ_RW:
-						case ZEND_FETCH_OBJ_FUNC_ARG:
-						case ZEND_FETCH_OBJ_UNSET:
-						case ZEND_ASSIGN_OBJ:
-							msg = "Cannot use string offset as an object";
-							break;
 						case ZEND_ASSIGN_REF:
 						case ZEND_ADD_ARRAY_ELEMENT:
 						case ZEND_INIT_ARRAY:
-- 
2.50.1