From f560d4ea84e18ab5a57f1df4087928cdb609dfbe Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 28 Jul 2009 13:01:40 +0000
Subject: [PATCH] Fixed bug #49037 (@list( $b ) = $a; causes a crash)

---
 Zend/tests/bug49037.phpt | 14 ++++++++++++++
 Zend/zend_vm_def.h       |  3 +++
 Zend/zend_vm_execute.h   | 12 ++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 Zend/tests/bug49037.phpt

diff --git a/Zend/tests/bug49037.phpt b/Zend/tests/bug49037.phpt
new file mode 100644
index 0000000000..8f50ea72b3
--- /dev/null
+++ b/Zend/tests/bug49037.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #49037 (@list( $b ) = $a; causes a crash)
+--FILE--
+<?php
+$a = array( "c" );
+@list( $b ) = $a;
+print_r( $a );
+?>
+--EXPECT--
+Array
+(
+    [0] => c
+)
+
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 6dd3a90c55..cbc80ba361 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1491,6 +1491,9 @@ ZEND_VM_HANDLER(98, ZEND_FETCH_DIM_TMP_VAR, VAR|CV|CONST|TMP, CONST)
 	if (OP1_TYPE == IS_VAR && EX_T(opline->op1.u.var).var.ptr == NULL) {
 		zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
 	}
+	if (OP1_TYPE == IS_VAR && EX_T(opline->op1.u.var).var.ptr_ptr) {
+		PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
+	}
 	container = GET_OP1_ZVAL_PTR(BP_VAR_R);
 	if (Z_TYPE_P(container) != IS_ARRAY) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 9ccfc50495..3d3f273194 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2680,6 +2680,9 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_TMP_VAR_SPEC_CONST_CONST_HANDLER(ZEND_O
 	if (IS_CONST == IS_VAR && EX_T(opline->op1.u.var).var.ptr == NULL) {
 		zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
 	}
+	if (IS_CONST == IS_VAR && EX_T(opline->op1.u.var).var.ptr_ptr) {
+		PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
+	}
 	container = &opline->op1.u.constant;
 	if (Z_TYPE_P(container) != IS_ARRAY) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
@@ -6117,6 +6120,9 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_TMP_VAR_SPEC_TMP_CONST_HANDLER(ZEND_OPC
 	if (IS_TMP_VAR == IS_VAR && EX_T(opline->op1.u.var).var.ptr == NULL) {
 		zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
 	}
+	if (IS_TMP_VAR == IS_VAR && EX_T(opline->op1.u.var).var.ptr_ptr) {
+		PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
+	}
 	container = _get_zval_ptr_tmp(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 	if (Z_TYPE_P(container) != IS_ARRAY) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
@@ -10579,6 +10585,9 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_TMP_VAR_SPEC_VAR_CONST_HANDLER(ZEND_OPC
 	if (IS_VAR == IS_VAR && EX_T(opline->op1.u.var).var.ptr == NULL) {
 		zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
 	}
+	if (IS_VAR == IS_VAR && EX_T(opline->op1.u.var).var.ptr_ptr) {
+		PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
+	}
 	container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 	if (Z_TYPE_P(container) != IS_ARRAY) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
@@ -24941,6 +24950,9 @@ static int ZEND_FASTCALL  ZEND_FETCH_DIM_TMP_VAR_SPEC_CV_CONST_HANDLER(ZEND_OPCO
 	if (IS_CV == IS_VAR && EX_T(opline->op1.u.var).var.ptr == NULL) {
 		zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
 	}
+	if (IS_CV == IS_VAR && EX_T(opline->op1.u.var).var.ptr_ptr) {
+		PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
+	}
 	container = _get_zval_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC);
 	if (Z_TYPE_P(container) != IS_ARRAY) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
-- 
2.40.0