From 8e923197b48a200eb7cdb0f07d5e7d1a6533b12d Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 29 Jun 2015 11:17:56 +0300
Subject: [PATCH] Fixed bug #69955 (Segfault when trying to combine [] and
 assign-op on ArrayAccess object). (Laruence)

---
 NEWS                     |  2 ++
 Zend/tests/bug69955.phpt | 37 +++++++++++++++++++++++++++++++++++++
 Zend/zend_vm_def.h       |  2 --
 Zend/zend_vm_execute.h   | 24 ------------------------
 4 files changed, 39 insertions(+), 26 deletions(-)
 create mode 100644 Zend/tests/bug69955.phpt

diff --git a/NEWS b/NEWS
index b073ec3f9d..b3b1e27774 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed bug #69768 (escapeshell*() doesn't cater to !). (cmb)
+  . Fixed bug #69955 (Segfault when trying to combine [] and assign-op on
+    ArrayAccess object). (Laruence)
   . Fixed bug #69957 (Three different ways of handling same error condition).
     (Bob)
 
diff --git a/Zend/tests/bug69955.phpt b/Zend/tests/bug69955.phpt
new file mode 100644
index 0000000000..b6d74242ee
--- /dev/null
+++ b/Zend/tests/bug69955.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object).
+--FILE--
+<?php
+class C10 implements ArrayAccess
+{
+        function offsetExists($offset)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset);
+        }
+        function offsetGet($offset)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset); return 100;
+        }
+        function offsetSet($offset, $value)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset); var_dump($value);
+        }
+        function offsetUnset($offset)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset);
+        }
+}
+
+$c10 = new C10;
+
+var_dump($c10[] += 5);
+--EXPECTF--
+Inside C10::offsetGet
+
+Notice: Undefined variable: offset in %sbug69955.php on line 10
+NULL
+
+Inside C10::offsetSet
+NULL
+int(105)
+int(105)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 1d18d4be06..ab8a2f5510 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -804,13 +804,11 @@ ZEND_VM_HELPER_EX(zend_binary_assign_op_dim_helper, VAR|UNUSED|CV, CONST|TMPVAR|
 			if (OP1_TYPE != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if !defined(ZEND_VM_SPEC) || (OP2_TYPE != IS_UNUSED)
 			if (OP1_TYPE == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, OP2_TYPE);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index ffe55d9a62..93026bd185 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -16714,13 +16714,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_VAR != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_CONST != IS_UNUSED)
 			if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_CONST);
@@ -18847,13 +18845,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_VAR != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_UNUSED != IS_UNUSED)
 			if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_UNUSED);
@@ -19919,13 +19915,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_VAR != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_CV != IS_UNUSED)
 			if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_CV);
@@ -21583,13 +21577,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_VAR != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || ((IS_TMP_VAR|IS_VAR) != IS_UNUSED)
 			if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, (IS_TMP_VAR|IS_VAR));
@@ -23135,13 +23127,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_UNUSED != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_CONST != IS_UNUSED)
 			if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_CONST);
@@ -24947,13 +24937,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_UNUSED != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_UNUSED != IS_UNUSED)
 			if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_UNUSED);
@@ -25529,13 +25517,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_UNUSED != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_CV != IS_UNUSED)
 			if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_CV);
@@ -27017,13 +27003,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_UNUSED != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || ((IS_TMP_VAR|IS_VAR) != IS_UNUSED)
 			if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, (IS_TMP_VAR|IS_VAR));
@@ -30779,13 +30763,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_CV != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_CONST != IS_UNUSED)
 			if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_CONST);
@@ -34193,13 +34175,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_CV != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_UNUSED != IS_UNUSED)
 			if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_UNUSED);
@@ -36091,13 +36071,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_CV != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || (IS_CV != IS_UNUSED)
 			if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, IS_CV);
@@ -38782,13 +38760,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 			if (IS_CV != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if 0 || ((IS_TMP_VAR|IS_VAR) != IS_UNUSED)
 			if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}
 
 		zend_fetch_dimension_address_RW(&rv, container, dim, (IS_TMP_VAR|IS_VAR));
-- 
2.40.0