diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2015-06-01 12:17:32 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2015-06-01 12:17:32 +0300 |
| commit | f863d89b5cc991ebfbb69caacc724ad90513924b (patch) | |
| tree | bfc86167f42d781ab5140fb10e6eab887f9a0328 | |
| parent | 4758505b27dbfbade703d80737b9d50a9c2b9dea (diff) | |
| parent | 9031a902e3393ff7dc8a02615430a7d894c740fa (diff) | |
| download | php-git-f863d89b5cc991ebfbb69caacc724ad90513924b.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
Fixed bug #69732 (can induce segmentation fault with basic php code).
Conflicts:
Zend/zend_vm_execute.h
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug69732.phpt | 30 | ||||
| -rw-r--r-- | Zend/zend_vm_def.h | 4 | ||||
| -rw-r--r-- | Zend/zend_vm_execute.h | 32 |
4 files changed, 63 insertions, 5 deletions
@@ -16,6 +16,8 @@ on Windows. (Jorge Oliveira, Anatol) . Fixed bug #69703 (Use __builtin_clzl on PowerPC). (dja at axtens dot net, Kalle) + . Fixed bug #69732 (can induce segmentation fault with basic php code). + (Dmitry) - GD: . Fixed bug #69479 (GD fails to build with newer libvpx). (Remi) diff --git a/Zend/tests/bug69732.phpt b/Zend/tests/bug69732.phpt new file mode 100644 index 0000000000..2ea5e58bc9 --- /dev/null +++ b/Zend/tests/bug69732.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #69732 (can induce segmentation fault with basic php code) +--FILE-- +<?php +class wpq { + private $unreferenced; + + public function __get($name) { + return $this->$name . "XXX"; + } +} + +function ret_assoc() { + $x = "XXX"; + return array('foo' => 'bar', $x); +} + +$wpq = new wpq; +$wpq->interesting =& ret_assoc(); +$x = $wpq->interesting; +printf("%s\n", $x); +--EXPECTF-- +Notice: Undefined property: wpq::$interesting in %sbug69732.php on line 6 + +Notice: Indirect modification of overloaded property wpq::$interesting has no effect in %sbug69732.php on line 16 + +Strict Standards: Only variables should be assigned by reference in %sbug69732.php on line 16 + +Notice: Undefined property: wpq::$interesting in %sbug69732.php on line 6 +XXX diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 7c029ada3f..c7b2d2a934 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1753,7 +1753,9 @@ ZEND_VM_HANDLER(38, ZEND_ASSIGN, VAR|CV, CONST|TMP|VAR|CV) } } - FREE_OP1_VAR_PTR(); + if (OP1_TYPE == IS_VAR && OP1_FREE) { + zval_ptr_dtor_nogc(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ FREE_OP2_IF_VAR(); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 1f5e55f40d..0de6b4ab57 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -15692,7 +15692,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER } } - if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor_nogc(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ @@ -18043,7 +18045,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_A } } - if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor_nogc(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ @@ -20303,7 +20307,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_A } } - if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor_nogc(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ zval_ptr_dtor_nogc(&free_op2.var); @@ -23772,7 +23778,9 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_AR } } - if (free_op1.var) {zval_ptr_dtor_nogc(&free_op1.var);}; + if (IS_VAR == IS_VAR && (free_op1.var != NULL)) { + zval_ptr_dtor_nogc(&value); + } /* zend_assign_to_variable() always takes care of op2, never free it! */ @@ -33211,6 +33219,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor_nogc(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ CHECK_EXCEPTION(); @@ -35331,6 +35343,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_AR } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor_nogc(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ CHECK_EXCEPTION(); @@ -37452,6 +37468,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_AR } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor_nogc(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ zval_ptr_dtor_nogc(&free_op2.var); @@ -40632,6 +40652,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARG } } + if (IS_CV == IS_VAR && 0) { + zval_ptr_dtor_nogc(&value); + } + /* zend_assign_to_variable() always takes care of op2, never free it! */ CHECK_EXCEPTION(); |