From cc3c425af8c6a56a1b295ab335d0758f48dad284 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Wed, 7 Oct 2015 22:47:09 +0200
Subject: [PATCH] Fix bug #70662

This replaces add_new with update for the RW case. This should not
be problematic for performance, as this branch throws a notice.

Alternatively add_new could also be replaced with add. I went with
update, because it makes $a[0] += 1 behavior the same as
$a[0] = $a[0] + 1.
---
 NEWS                     |  4 ++++
 Zend/tests/bug70662.phpt | 18 ++++++++++++++++++
 Zend/zend_execute.c      |  6 ++++--
 Zend/zend_vm_def.h       |  3 ++-
 Zend/zend_vm_execute.h   | 27 ++++++++++++++++++---------
 5 files changed, 46 insertions(+), 12 deletions(-)
 create mode 100644 Zend/tests/bug70662.phpt

diff --git a/NEWS b/NEWS
index 1bfcfffbae..fcc1552ff3 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 15 Oct 2015, PHP 7.0.0 RC 5
 
+- Core:
+  . Fixed bug #70662 (Duplicate array key via undefined index error handler).
+    (Nikita)
+
 - Mcrypt:
   . Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was
     specified under RC4). (Nikita)
diff --git a/Zend/tests/bug70662.phpt b/Zend/tests/bug70662.phpt
new file mode 100644
index 0000000000..2bda8141ba
--- /dev/null
+++ b/Zend/tests/bug70662.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #70662: Duplicate array key via undefined index error handler
+--FILE--
+<?php
+
+$a = [];
+set_error_handler(function() use(&$a) {
+    $a['b'] = 2;
+});
+$a['b'] += 1;
+var_dump($a);
+
+?>
+--EXPECT--
+array(1) {
+  ["b"]=>
+  int(1)
+}
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index f88ccb1ea7..5b98fb47fb 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1557,7 +1557,8 @@ num_index:
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined offset: " ZEND_LONG_FMT, hval);
-					/* break missing intentionally */
+					retval = zend_hash_index_update(ht, hval, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_index_add_new(ht, hval, &EG(uninitialized_zval));
 					break;
@@ -1605,7 +1606,8 @@ str_index:
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined index: %s", ZSTR_VAL(offset_key));
-					/* break missing intentionally */
+					retval = zend_hash_update(ht, offset_key, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));
 					break;
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index f0e7278459..0c34f1717b 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1565,7 +1565,8 @@ ZEND_VM_HELPER_EX(zend_fetch_var_address_helper, CONST|TMPVAR|CV, UNUSED|CONST|V
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 035f4ab7af..031e234281 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -5024,7 +5024,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -6945,7 +6946,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -7441,7 +7443,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -31092,7 +31095,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -33305,7 +33309,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -34242,7 +34247,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -41434,7 +41440,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -42415,7 +42422,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
@@ -42816,7 +42824,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 					break;
 				case BP_VAR_RW:
 					zend_error(E_NOTICE,"Undefined variable: %s", ZSTR_VAL(name));
-					/* break missing intentionally */
+					retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
+					break;
 				case BP_VAR_W:
 					retval = zend_hash_add_new(target_symbol_table, name, &EG(uninitialized_zval));
 					break;
-- 
2.50.1