summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NEWS1
-rw-r--r--Zend/tests/bug49866.phpt10
-rw-r--r--Zend/zend_vm_def.h2
-rw-r--r--Zend/zend_vm_execute.h20
4 files changed, 22 insertions, 11 deletions
diff --git a/NEWS b/NEWS
index bb22014ba0..aa774367a2 100644
--- a/NEWS
+++ b/NEWS
@@ -88,6 +88,7 @@ PHP NEWS
- Fixed bug #49936 (crash with ftp stream in php_stream_context_get_option()).
(Pierrick)
- Fixed bug #49921 (Curl post upload functions changed). (Ilia)
+- Fixed bug #49866 (Making reference on string offsets crashes PHP). (Dmitry)
- Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia,
sjoerd at php dot net)
- Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning).
diff --git a/Zend/tests/bug49866.phpt b/Zend/tests/bug49866.phpt
new file mode 100644
index 0000000000..7fbc0d8028
--- /dev/null
+++ b/Zend/tests/bug49866.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #49866 (Making reference on string offsets crashes PHP)
+--FILE--
+<?php
+$a = "string";
+$b = &$a[1];
+$b = "f";
+echo $a;
+--EXPECTF--
+Fatal error: Cannot create references to/from string offsets nor overloaded objects in %sbug49866.php on line 3
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 8b574cb46b..d12d67aab6 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1100,7 +1100,7 @@ ZEND_VM_HANDLER(84, ZEND_FETCH_DIM_W, VAR|CV, CONST|TMP|VAR|UNUSED|CV)
FREE_OP1_VAR_PTR();
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 74f144a4bb..87f0299047 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -9864,7 +9864,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HA
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -11667,7 +11667,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HAND
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -13416,7 +13416,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HAND
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -14756,7 +14756,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_UNUSED_HANDLER(ZEND_OPCODE_H
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -15807,7 +15807,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDL
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -23567,7 +23567,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HAN
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -25204,7 +25204,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDL
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -26844,7 +26844,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDL
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -28074,7 +28074,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_UNUSED_HANDLER(ZEND_OPCODE_HA
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -29026,7 +29026,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLE
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);