From ddc8a6316822b36dfb6b735df704a44caa344527 Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipe@php.net>
Date: Sat, 8 Mar 2008 11:35:12 +0000
Subject: [PATCH] Fixed bug #39018 (Error control operator '@' fails to
 suppress "Uninitialized string offset")

---
 Zend/tests/bug39018.phpt   | 82 ++++++++++++++++++++++++++++++++++++++
 Zend/tests/bug39018_2.phpt | 18 +++++++++
 Zend/zend_execute.c        |  4 +-
 3 files changed, 103 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/bug39018.phpt
 create mode 100644 Zend/tests/bug39018_2.phpt

diff --git a/Zend/tests/bug39018.phpt b/Zend/tests/bug39018.phpt
new file mode 100644
index 0000000000..128f06d6a1
--- /dev/null
+++ b/Zend/tests/bug39018.phpt
@@ -0,0 +1,82 @@
+--TEST--
+Bug #39018 (Error control operator '@' fails to suppress "Uninitialized string offset")
+--FILE--
+<?php
+
+error_reporting(E_ALL);
+
+$a = 'foo';
+$a[11111111111];
+
+$a = '';
+
+$a[0];
+
+print $a[0]; // 12
+
+$a[-11111111111111111111111];
+
+print $a[-11111111111111111111111]; // 16
+
+$a[-0];
+
+$x = 'test';
+
+@$x[4];
+
+@$y = $x[4];
+
+@('a' == $x[4]);
+
+$x[4] == 'a'; // 28
+
+@$x[4] == 'a';
+
+(@$x[4]) == 'a';
+
+($x[4]) == 'a'; // 34
+
+(@($x[4])) == 'a';
+
+(($x[4])) == 'a'; // 38
+
+@($x[4]) == 'a';
+
+($x[4]) == 'a'; // 42
+
+@($x[4] == 'a');
+
+($x[4] == 'a'); // 46
+
+$y = 'foobar';
+
+$y[12.2];
+
+print $y[12.2]; // 52
+
+$y[3.5];
+
+print $y[3.5]; // 56
+
+print "\nDone\n";
+
+?>
+--EXPECTF--
+
+Notice: Uninitialized string offset: 0 in %s on line 12
+
+Notice: Uninitialized string offset: -2147483648 in %s on line 16
+
+Notice: Uninitialized string offset: 4 in %s on line 28
+
+Notice: Uninitialized string offset: 4 in %s on line 34
+
+Notice: Uninitialized string offset: 4 in %s on line 38
+
+Notice: Uninitialized string offset: 4 in %s on line 42
+
+Notice: Uninitialized string offset: 4 in %s on line 46
+
+Notice: Uninitialized string offset: 12 in %s on line 52
+b
+Done
diff --git a/Zend/tests/bug39018_2.phpt b/Zend/tests/bug39018_2.phpt
new file mode 100644
index 0000000000..81831d51e0
--- /dev/null
+++ b/Zend/tests/bug39018_2.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #39018 [2] (Error control operator '@' fails to suppress "Uninitialized string offset")
+--FILE--
+<?php
+
+error_reporting(E_ALL);
+
+$foo = 'test';
+$x = @$foo[6];
+
+print @($foo[100] + $foo[130]);
+
+print "\nDone\n";
+
+?>
+--EXPECT--
+0
+Done
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 721d410d16..f54afeab28 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -200,7 +200,6 @@ static inline zval *_get_zval_ptr_var(znode *node, temp_variable *Ts, zend_free_
 		if (T->str_offset.str->type != IS_STRING
 			|| ((int)T->str_offset.offset < 0)
 			|| (T->str_offset.str->value.str.len <= (int)T->str_offset.offset)) {
-			zend_error(E_NOTICE, "Uninitialized string offset:  %d", T->str_offset.offset);
 			ptr->value.str.val = STR_EMPTY_ALLOC();
 			ptr->value.str.len = 0;
 		} else {
@@ -1188,6 +1187,9 @@ static void zend_fetch_dimension_address_read(temp_variable *result, zval **cont
 					dim = &tmp;
 				}
 				if (result) {
+					if (Z_LVAL_P(dim) < 0 || Z_STRLEN_P(container) <= Z_LVAL_P(dim)) {
+						zend_error(E_NOTICE, "Uninitialized string offset: %ld", Z_LVAL_P(dim));
+					}
 					result->str_offset.str = container;
 					PZVAL_LOCK(container);
 					result->str_offset.offset = Z_LVAL_P(dim);
-- 
2.50.1