From bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3 Mon Sep 17 00:00:00 2001
From: Bob Weinand <bobwei9@hotmail.com>
Date: Sat, 22 Jul 2017 11:14:00 +0200
Subject: [PATCH] Fixed bug #74954 (null deref and segfault in
 zend_generator_resume())

---
 NEWS                                |  1 +
 Zend/tests/generators/bug74954.phpt | 45 +++++++++++++++++++++++++++++
 Zend/zend_generators.c              |  6 ++--
 3 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 Zend/tests/generators/bug74954.phpt

diff --git a/NEWS b/NEWS
index f174c5cfa2..fed2edb098 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed bug #74947 (Segfault in scanner on INF number). (Laruence)
+  . Fixed bug #74954 (null deref and segfault in zend_generator_resume()). (Bob)
 
 - SimpleXML:
   . Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces).
diff --git a/Zend/tests/generators/bug74954.phpt b/Zend/tests/generators/bug74954.phpt
new file mode 100644
index 0000000000..58a61af573
--- /dev/null
+++ b/Zend/tests/generators/bug74954.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Bug #74954 (crash after update of generator yielding from finished generator)
+--FILE--
+<?php
+
+function from() {
+        yield 1;
+        throw new Exception();
+}
+
+function gen($gen) {
+        try {
+                var_dump(yield from $gen);
+        } catch (Exception $e) { print "Caught exception!\n$e\n"; }
+}
+
+$gen = from();
+$gens[] = gen($gen);
+$gens[] = gen($gen);
+
+foreach ($gens as $g) {
+        $g->current();
+}
+
+do {
+        foreach ($gens as $i => $g) {
+                $g->next();
+        }
+} while($gens[0]->valid());
+
+?>
+--EXPECTF--
+Caught exception!
+Exception in %s:%d
+Stack trace:
+#0 %s(%d): from()
+#1 [internal function]: gen(Object(Generator))
+#2 %s(%d): Generator->next()
+#3 {main}
+Caught exception!
+ClosedGeneratorException: Generator yielded from aborted, no return value available in %s:%d
+Stack trace:
+#0 [internal function]: gen(Object(Generator))
+#1 %s(%d): Generator->next()
+#2 {main}
diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
index fd09831080..37faca1f00 100644
--- a/Zend/zend_generators.c
+++ b/Zend/zend_generators.c
@@ -644,15 +644,13 @@ failure:
 
 ZEND_API void zend_generator_resume(zend_generator *orig_generator) /* {{{ */
 {
-	zend_generator *generator;
+	zend_generator *generator = zend_generator_get_current(orig_generator);
 
 	/* The generator is already closed, thus can't resume */
-	if (UNEXPECTED(!orig_generator->execute_data)) {
+	if (UNEXPECTED(!generator->execute_data)) {
 		return;
 	}
 
-	generator = zend_generator_get_current(orig_generator);
-
 try_again:
 	if (generator->flags & ZEND_GENERATOR_CURRENTLY_RUNNING) {
 		zend_throw_error(NULL, "Cannot resume an already running generator");
-- 
2.50.0