From 89ce8d28dee671eead485077bc97c2b800790d68 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Mon, 6 Jul 2015 20:12:07 +0200
Subject: [PATCH] Fix crash when exception is thrown during ROPE_END

The CHECK_EXCEPTION() was done at a point where the old opline is
still used, thus redirecting the write to the result var into
EX(call) instead.

Handling the exception in-place to avoid leaking result.
---
 Zend/tests/exception_in_rope_end.phpt | 17 +++++++++++++++++
 Zend/zend_vm_def.h                    |  7 ++++++-
 Zend/zend_vm_execute.h                | 21 ++++++++++++++++++---
 3 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 Zend/tests/exception_in_rope_end.phpt

diff --git a/Zend/tests/exception_in_rope_end.phpt b/Zend/tests/exception_in_rope_end.phpt
new file mode 100644
index 0000000000..3e6402c60f
--- /dev/null
+++ b/Zend/tests/exception_in_rope_end.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Exception during rope finalization
+--FILE--
+<?php
+
+set_error_handler(function() { throw new Exception; });
+
+try {
+    $b = "foo";
+    $str = "y$b$a";
+} catch (Exception $e) {
+    echo "Exception\n";
+}
+
+?>
+--EXPECT--
+Exception
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index fb86a8d42a..7bfec961cb 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2859,7 +2859,12 @@ ZEND_VM_HANDLER(56, ZEND_ROPE_END, TMP, CONST|TMPVAR|CV)
 			}
 			rope[opline->extended_value] = _zval_get_string_func(var);
 			FREE_OP2();
-			CHECK_EXCEPTION();
+			if (UNEXPECTED(EG(exception))) {
+				for (i = 0; i <= opline->extended_value; i++) {
+					zend_string_release(rope[i]);
+				}
+				HANDLE_EXCEPTION();
+			}
 		}
 	}
 	for (i = 0; i <= opline->extended_value; i++) {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index a948964e91..eebfc0f1e7 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -12999,7 +12999,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ROPE_END_SPEC_TMP_CONST_HANDLE
 			}
 			rope[opline->extended_value] = _zval_get_string_func(var);
 
-			CHECK_EXCEPTION();
+			if (UNEXPECTED(EG(exception))) {
+				for (i = 0; i <= opline->extended_value; i++) {
+					zend_string_release(rope[i]);
+				}
+				HANDLE_EXCEPTION();
+			}
 		}
 	}
 	for (i = 0; i <= opline->extended_value; i++) {
@@ -14283,7 +14288,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ROPE_END_SPEC_TMP_CV_HANDLER(Z
 			}
 			rope[opline->extended_value] = _zval_get_string_func(var);
 
-			CHECK_EXCEPTION();
+			if (UNEXPECTED(EG(exception))) {
+				for (i = 0; i <= opline->extended_value; i++) {
+					zend_string_release(rope[i]);
+				}
+				HANDLE_EXCEPTION();
+			}
 		}
 	}
 	for (i = 0; i <= opline->extended_value; i++) {
@@ -14796,7 +14806,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ROPE_END_SPEC_TMP_TMPVAR_HANDL
 			}
 			rope[opline->extended_value] = _zval_get_string_func(var);
 			zval_ptr_dtor_nogc(free_op2);
-			CHECK_EXCEPTION();
+			if (UNEXPECTED(EG(exception))) {
+				for (i = 0; i <= opline->extended_value; i++) {
+					zend_string_release(rope[i]);
+				}
+				HANDLE_EXCEPTION();
+			}
 		}
 	}
 	for (i = 0; i <= opline->extended_value; i++) {
-- 
2.40.0