Merge branch 'PHP-7.0'

2 files changed, 19 insertions, 2 deletions

diff --git a/Zend/tests/bug70782.phpt b/Zend/tests/bug70782.phpt
new file mode 100644
index 0000000000..bbe63ffec2
--- /dev/null
+++ b/Zend/tests/bug70782.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #70782: null ptr deref and segfault (zend_get_class_fetch_type)
+--FILE--
+<?php
+
+(-0)::$prop;
+
+?>
+--EXPECTF--
+Fatal error: Illegal class name in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index f77d8b6ae7..d3a361dac9 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -2126,8 +2126,15 @@ static zend_op *zend_compile_class_ref(znode *result, zend_ast *name_ast, int th
 	zend_compile_expr(&name_node, name_ast);
 
 	if (name_node.op_type == IS_CONST) {
-		zend_string *name = Z_STR(name_node.u.constant);
-		uint32_t fetch_type = zend_get_class_fetch_type(name);
+		zend_string *name;
+		uint32_t fetch_type;
+
+		if (Z_TYPE(name_node.u.constant) != IS_STRING) {
+			zend_error_noreturn(E_COMPILE_ERROR, "Illegal class name");
+		}
+
+		name = Z_STR(name_node.u.constant);
+		fetch_type = zend_get_class_fetch_type(name);
 
 		opline = zend_emit_op(result, ZEND_FETCH_CLASS, NULL, NULL);
 		opline->extended_value = fetch_type | (throw_exception ? ZEND_FETCH_CLASS_EXCEPTION : 0);