From a7746d10a546537d566e5eac037e80227d4645f7 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 27 Jul 2018 13:00:14 +0800
Subject: [PATCH] Fixed bug #76667 (Segfault with divide-assign op and __get +
 __set)

---
 NEWS                     |  4 ++++
 Zend/tests/bug76667.phpt | 38 ++++++++++++++++++++++++++++++++++++++
 Zend/zend_execute.c      | 12 ++++++------
 3 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 Zend/tests/bug76667.phpt

diff --git a/NEWS b/NEWS
index 379d0fac28..21ac878b10 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.3.0beta1
 
+- Core:
+  . Fixed bug #76667 (Segfault with divide-assign op and __get + __set).
+    (Laruence)
+
 - SQLite3:
   . Fixed #76665 (SQLite3Stmt::bindValue() with SQLITE3_FLOAT doesn't juggle).
     (cmb)
diff --git a/Zend/tests/bug76667.phpt b/Zend/tests/bug76667.phpt
new file mode 100644
index 0000000000..15dc34693d
--- /dev/null
+++ b/Zend/tests/bug76667.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Bug #76667 (Segfault with divide-assign op and __get + __set)
+--FILE--
+<?php
+
+class T {
+	public function __get($k)
+	{
+		return $undefined->$k;
+	}
+
+	public function __set($k, $v)
+	{
+		return $this->$v /= 0;
+	}
+};
+
+$x = new T;
+$x->x = 1;
+?>
+--EXPECTF--
+Notice: Undefined variable: undefined in %sbug76667.php on line %d
+
+Notice: Trying to get property '1' of non-object in %sbug76667.php on line %d
+
+Warning: Division by zero in %sbug76667.php on line %d
+
+Notice: Undefined variable: undefined in %sbug76667.php on line %d
+
+Notice: Trying to get property 'NAN' of non-object in %sbug76667.php on line %d
+
+Warning: Division by zero in %sbug76667.php on line %d
+
+Notice: Undefined variable: undefined in %sbug76667.php on line %d
+
+Notice: Trying to get property 'NAN' of non-object in %sbug76667.php on line %d
+
+Warning: Division by zero in %sbug76667.php on line %d
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 6528dc0cb3..0abed6a85b 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -631,7 +631,7 @@ static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_wrong_property_assign
 	zend_string *tmp_property_name;
 	zend_string *property_name = zval_get_tmp_string(property, &tmp_property_name);
 	zend_error(E_WARNING, "Attempt to assign property '%s' of non-object", ZSTR_VAL(property_name));
-	zend_tmp_string_release(property_name);
+	zend_tmp_string_release(tmp_property_name);
 	if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 		ZVAL_NULL(EX_VAR(opline->result.var));
 	}
@@ -659,7 +659,7 @@ static zend_never_inline ZEND_COLD int ZEND_FASTCALL make_real_object(zval *obje
 			} else {
 				zend_error(E_WARNING, "Attempt to assign property '%s' of non-object", ZSTR_VAL(property_name));
 			}
-			zend_tmp_string_release(property_name);
+			zend_tmp_string_release(tmp_property_name);
 		}
 		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 			ZVAL_NULL(EX_VAR(opline->result.var));
@@ -693,7 +693,7 @@ static zend_never_inline ZEND_COLD int ZEND_FASTCALL make_real_object_rw(zval *o
 			zend_string *tmp_property_name;
 			zend_string *property_name = zval_get_tmp_string(property, &tmp_property_name);
 			zend_error(E_WARNING, "Attempt to modify property '%s' of non-object", ZSTR_VAL(property_name));
-			zend_tmp_string_release(property_name);
+			zend_tmp_string_release(tmp_property_name);
 		}
 		return 0;
 	}
@@ -1332,7 +1332,7 @@ static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_wrong_property_read(z
 	zend_string *tmp_property_name;
 	zend_string *property_name = zval_get_tmp_string(property, &tmp_property_name);
 	zend_error(E_NOTICE, "Trying to get property '%s' of non-object", ZSTR_VAL(property_name));
-	zend_tmp_string_release(property_name);
+	zend_tmp_string_release(tmp_property_name);
 }
 
 static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_wrong_property_unset(zval *property)
@@ -1340,7 +1340,7 @@ static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_wrong_property_unset(
 	zend_string *tmp_property_name;
 	zend_string *property_name = zval_get_tmp_string(property, &tmp_property_name);
 	zend_error(E_NOTICE, "Trying to unset property '%s' of non-object", ZSTR_VAL(property_name));
-	zend_tmp_string_release(property_name);
+	zend_tmp_string_release(tmp_property_name);
 }
 
 static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_wrong_property_check(zval *property)
@@ -1348,7 +1348,7 @@ static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_wrong_property_check(
 	zend_string *tmp_property_name;
 	zend_string *property_name = zval_get_tmp_string(property, &tmp_property_name);
 	zend_error(E_NOTICE, "Trying to check property '%s' of non-object", ZSTR_VAL(property_name));
-	zend_tmp_string_release(property_name);
+	zend_tmp_string_release(tmp_property_name);
 }
 
 static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_deprecated_function(const zend_function *fbc)
-- 
2.50.0