From 7a01c44ab268820c2365798fde0fe010cf6c5e20 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 23 Jun 2015 16:26:40 +0300
Subject: [PATCH] Fixed bug #69905 (null ptr deref and segfault in
 ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)

---
 Zend/tests/bug69905.phpt | 11 +++++++++++
 Zend/zend_execute.c      |  4 ++--
 2 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/bug69905.phpt

diff --git a/Zend/tests/bug69905.phpt b/Zend/tests/bug69905.phpt
new file mode 100644
index 0000000000..fb25341bde
--- /dev/null
+++ b/Zend/tests/bug69905.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)
+--FILE--
+<?php
+md5(0)[]--;
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: [] operator not supported for strings in %sbug69905.php:2
+Stack trace:
+#0 {main}
+  thrown in %sbug69905.php on line 2
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 246372fee2..8fc40245c9 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1682,11 +1682,11 @@ convert_to_array:
 
 		if (dim == NULL) {
 			zend_error(E_EXCEPTION | E_ERROR, "[] operator not supported for strings");
+			ZVAL_NULL(result);
 		} else {
 			zend_check_string_offset(dim, type);
+			ZVAL_INDIRECT(result, NULL); /* wrong string offset */
 		}
-
-		ZVAL_INDIRECT(result, NULL); /* wrong string offset */
 	} else if (EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 		if (!Z_OBJ_HT_P(container)->read_dimension) {
 			zend_error(E_EXCEPTION | E_ERROR, "Cannot use object as array");
-- 
2.40.0