From de4f3007e2eebe6c08679ababe94410c0b8ed41e Mon Sep 17 00:00:00 2001 From: Antony Dovgal Date: Fri, 27 Apr 2007 08:12:24 +0000 Subject: [PATCH] MFH: initialize retval_ptr_ptr before returning FAILURE this fixes invalid read in #41209 --- Zend/tests/bug41209.phpt | 46 ++++++++++++++++++++++++++++++++++++++++ Zend/zend_execute_API.c | 7 ++---- 2 files changed, 48 insertions(+), 5 deletions(-) create mode 100644 Zend/tests/bug41209.phpt diff --git a/Zend/tests/bug41209.phpt b/Zend/tests/bug41209.phpt new file mode 100644 index 0000000000..0834b376b2 --- /dev/null +++ b/Zend/tests/bug41209.phpt @@ -0,0 +1,46 @@ +--TEST-- +Bug #41209 (Segmentation fault with ArrayAccess, set_error_handler and undefined var) +--FILE-- +containers[(string) $id]); + } +} + +$env = new env(); +$cache = new cache(); +var_dump(isset($cache[$id])); + +echo "Done\n"; +?> +--EXPECTF-- +Fatal error: Uncaught exception 'ErrorException' with message 'Undefined variable: id' in %s:%d +Stack trace: +#0 %s(%d): env::errorHandler() +#1 {main} + thrown in %s on line %d diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c index f51289a94c..7ca181a179 100644 --- a/Zend/zend_execute_API.c +++ b/Zend/zend_execute_API.c @@ -622,6 +622,8 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS char *fname, *colon; int fname_len; + *fci->retval_ptr_ptr = NULL; + if (!EG(active)) { return FAILURE; /* executor is already inactive */ } @@ -652,11 +654,6 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS memset(&execute_data, 0, sizeof(zend_execute_data)); } - /* we may return SUCCESS, and yet retval may be uninitialized, - * if there was an exception... - */ - *fci->retval_ptr_ptr = NULL; - if (!fci_cache || !fci_cache->initialized) { if (Z_TYPE_P(fci->function_name)==IS_ARRAY) { /* assume array($obj, $name) couple */ zval **tmp_object_ptr, **tmp_real_function_name; -- 2.50.1