From e90ac23f580e691d8305f7e4412968d5d5e22bfb Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 16 Mar 2011 15:21:38 +0000
Subject: [PATCH] Fixed bug #54265 (crash when variable gets reassigned in
 error handler)

---
 NEWS                     |  2 ++
 Zend/tests/bug54265.phpt | 17 +++++++++++++++++
 Zend/zend_execute.c      | 16 ++++++++++++++--
 3 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/bug54265.phpt

diff --git a/NEWS b/NEWS
index 0678c24dd2..0d1cfd451b 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Mar 2011, PHP 5.3.6
 - Zend Engine:
+  . Fixed bug #54265 (crash when variable gets reassigned in error handler).
+    (Dmitry)
   . Fixed bug #54262 (Crash when assigning value to a dimension in a non-array).
     (Dmitry)
 
diff --git a/Zend/tests/bug54265.phpt b/Zend/tests/bug54265.phpt
new file mode 100644
index 0000000000..43db028a2a
--- /dev/null
+++ b/Zend/tests/bug54265.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54265 (crash when variable gets reassigned in error handler)
+--FILE--
+<?php
+function my_errorhandler($errno,$errormsg) {
+  global $my_var;
+  $my_var = 0;
+  echo "EROOR: $errormsg\n";
+}
+set_error_handler("my_errorhandler");
+$my_var = str_repeat("A",$my_var[0]->errormsg = "xyz");
+echo "ok\n";
+?>
+--EXPECT--
+EROOR: Creating default object from empty value
+ok
+
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index e270816d8b..f10fce38dc 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -536,10 +536,22 @@ static inline void zend_assign_to_object(znode *result, zval **object_ptr, zval
 		    (Z_TYPE_P(object) == IS_BOOL && Z_LVAL_P(object) == 0) ||
 		    (Z_TYPE_P(object) == IS_STRING && Z_STRLEN_P(object) == 0)) {
 			SEPARATE_ZVAL_IF_NOT_REF(object_ptr);
-			zval_dtor(*object_ptr);
-			object_init(*object_ptr);
 			object = *object_ptr;
+			Z_ADDREF_P(object);
 			zend_error(E_STRICT, "Creating default object from empty value");
+			if (Z_REFCOUNT_P(object) == 1) {
+				/* object was removed by error handler, nothing to assign to */
+				zval_ptr_dtor(&object);
+				if (retval) {
+					*retval = &EG(uninitialized_zval);
+					PZVAL_LOCK(*retval);
+				}
+				FREE_OP(free_value);
+				return;
+			}
+			Z_DELREF_P(object);
+			zval_dtor(object);
+			object_init(object);
 		} else {
 			zend_error(E_WARNING, "Attempt to assign property of non-object");
 			if (!RETURN_VALUE_UNUSED(result)) {
-- 
2.40.0