diff options
author | Xinchen Hui <laruence@gmail.com> | 2017-09-24 17:24:11 +0800 |
---|---|---|
committer | Xinchen Hui <laruence@gmail.com> | 2017-09-24 17:24:11 +0800 |
commit | b05ff14a9aa8fd98eea9cbeb090f9d64bf302561 (patch) | |
tree | 3ebfa1245261cf46bcaa169cba48864ae2f33988 | |
parent | db63367871ce475d52ae8a3c9cc8efe5bc908dec (diff) | |
download | php-git-b05ff14a9aa8fd98eea9cbeb090f9d64bf302561.tar.gz |
Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | Zend/tests/bug75241.phpt | 13 | ||||
-rw-r--r-- | Zend/zend_operators.c | 4 |
3 files changed, 18 insertions, 1 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2017 PHP 7.0.25 - Core: + . Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()). + (Laruence) . Fixed bug #75236 (infinite loop when printing an error-message). (Andrea) . Fixed bug #75252 (Incorrect token formatting on two parse errors in one request). (Nikita) diff --git a/Zend/tests/bug75241.phpt b/Zend/tests/bug75241.phpt new file mode 100644 index 0000000000..1751bbee76 --- /dev/null +++ b/Zend/tests/bug75241.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #75241 (Null pointer dereference in zend_mm_alloc_small()) +--FILE-- +<?php +function eh(){} + +set_error_handler('eh'); + +$d->d = &$d + $d->d/=0; +var_dump($d); +?> +--EXPECT-- +float(INF) diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c index 3a8929b83f..d87dba919b 100644 --- a/Zend/zend_operators.c +++ b/Zend/zend_operators.c @@ -221,8 +221,10 @@ try_again: if (Z_TYPE(holder) == IS_LONG) { \ if (op == result) { \ zval_ptr_dtor(op); \ + ZVAL_LONG(op, Z_LVAL(holder)); \ + } else { \ + (op) = &(holder); \ } \ - (op) = &(holder); \ } \ break; \ } \ |