diff options
author | Xinchen Hui <laruence@gmail.com> | 2016-05-05 11:02:21 +0800 |
---|---|---|
committer | Xinchen Hui <laruence@gmail.com> | 2016-05-05 11:02:21 +0800 |
commit | 9191862121411858036b0d2a06c3a99229c8bd24 (patch) | |
tree | 8e16f5e8e7ff7e961c7a20ef1ffffd8b7c2a9242 | |
parent | 0691e7a8e15ace3ce186ceb8c27753325a5a956f (diff) | |
download | php-git-9191862121411858036b0d2a06c3a99229c8bd24.tar.gz |
Fixed bug #72162 (use-after-free - error_reporting)
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | Zend/tests/bug72162.phpt | 11 | ||||
-rw-r--r-- | Zend/zend_builtin_functions.c | 5 |
3 files changed, 15 insertions, 2 deletions
@@ -3,6 +3,7 @@ PHP NEWS ?? ??? 2016 PHP 7.0.7 - Core: + . Fixed bug #72162 (use-after-free - error_reporting). (Laruence) . Add compiler option to disable special case function calls. (Joe) . Fixed bug #72101 (crash on complex code). (Dmitry) . Fixed bug #72100 (implode() inserts garbage into resulting string when diff --git a/Zend/tests/bug72162.phpt b/Zend/tests/bug72162.phpt new file mode 100644 index 0000000000..3cd12dea21 --- /dev/null +++ b/Zend/tests/bug72162.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #72162 (use-after-free - error_reporting) +--FILE-- +<?php +error_reporting(1); +$var11 = new StdClass(); +$var16 = error_reporting($var11); +?> +okey +--EXPECT-- +okey diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c index a576455fa3..558a1b2ac6 100644 --- a/Zend/zend_builtin_functions.c +++ b/Zend/zend_builtin_functions.c @@ -704,7 +704,8 @@ ZEND_FUNCTION(error_reporting) #endif old_error_reporting = EG(error_reporting); - if(ZEND_NUM_ARGS() != 0) { + if (ZEND_NUM_ARGS() != 0) { + zend_string *new_val = zval_get_string(err); do { zend_ini_entry *p = EG(error_reporting_ini_entry); @@ -730,7 +731,7 @@ ZEND_FUNCTION(error_reporting) zend_string_release(p->value); } - p->value = zval_get_string(err); + p->value = new_val; if (Z_TYPE_P(err) == IS_LONG) { EG(error_reporting) = Z_LVAL_P(err); } else { |