From d1b1866a3a035b946e50b17eeefd19add81c7eab Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Wed, 27 Jun 2018 13:05:11 +0800 Subject: [PATCH] Fixed bug #76534 (PHP hangs on 'illegal string offset on string references with an error handler) --- NEWS | 2 ++ Zend/tests/bug76534.phpt | 17 +++++++++++++++++ Zend/zend_execute.c | 4 +++- Zend/zend_vm_def.h | 4 +++- Zend/zend_vm_execute.h | 32 ++++++++++++++++++++++++-------- 5 files changed, 49 insertions(+), 10 deletions(-) create mode 100644 Zend/tests/bug76534.phpt diff --git a/NEWS b/NEWS index 79612ca2bd..d5840d2d25 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP NEWS ?? ??? ????, PHP 7.1.20 - Core: + . Fixed bug #76534 (PHP hangs on 'illegal string offset on string references + with an error handler). (Laruence) . Fixed bug #76502 (Chain of mixed exceptions and errors does not serialize properly). (Nikita) diff --git a/Zend/tests/bug76534.phpt b/Zend/tests/bug76534.phpt new file mode 100644 index 0000000000..956a29ba2c --- /dev/null +++ b/Zend/tests/bug76534.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #76534 (PHP hangs on 'illegal string offset on string references with an error handler) +--FILE-- + +--EXPECTF-- +Fatal error: Uncaught Exception: Illegal string offset 'bar' in %sbug76534.php:%d +Stack trace: +#0 %sbug76534.php(%d): {closure}(2, 'Illegal string ...', '%s', %d, Array) +#1 {main} + thrown in %sbug76534.php on line %d diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 968618a6aa..f88fac6c88 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -1700,7 +1700,9 @@ fetch_from_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, type); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } ZVAL_ERROR(result); } else if (EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) { diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 7dd70fa709..ea9870d31b 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -891,7 +891,9 @@ ZEND_VM_C_LABEL(assign_dim_op_convert_to_array): zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { ZEND_VM_C_GOTO(assign_dim_op_convert_to_array); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index cb20546da9..af3c181552 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -17596,7 +17596,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; @@ -21014,7 +21016,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; @@ -22385,7 +22389,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; @@ -25330,7 +25336,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; @@ -37055,7 +37063,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; @@ -41665,7 +41675,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; @@ -44149,7 +44161,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; @@ -48220,7 +48234,9 @@ assign_dim_op_convert_to_array: zend_throw_error(NULL, "[] operator not supported for strings"); } else { zend_check_string_offset(dim, BP_VAR_RW); - zend_wrong_string_offset(); + if (EXPECTED(EG(exception) == NULL)) { + zend_wrong_string_offset(); + } } } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { goto assign_dim_op_convert_to_array; -- 2.49.0