Skip to content

Commit ce89fd9

Browse files
dstogovdstogov
committed
Fixed bug #70262 (Accessing array crashes PHP 7.0beta3)
1 parent 2d475eb commit ce89fd9

File tree

4 files changed

+46
-10
lines changed

4 files changed

+46
-10
lines changed

NEWS

+2
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ PHP NEWS
33
20 Aug 2015, PHP 7.0.0 RC 1
44

55
- Core:
6+
. Fixed bug #70262 (Accessing array crashes PHP 7.0beta3).
7+
(Laruence, Dmitry)
68
. Fixed bug #70258 (Segfault if do_resize fails to allocated memory).
79
(Laruence)
810
. Fixed bug #70253 (segfault at _efree () in zend_alloc.c:1389). (Laruence)

Zend/tests/bug70262.phpt

+34
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
--TEST--
2+
Bug #70262 (Accessing array crashes)
3+
--FILE--
4+
<?php
5+
class C {
6+
public $arguments;
7+
public function __construct($arg) {
8+
$this->arguments = $arg;
9+
}
10+
}
11+
12+
function & a(&$arg) {
13+
$c = new C($arg);
14+
$arg[] = $c;
15+
return $c;
16+
}
17+
18+
function c($arr) {
19+
a($arr)->arguments[0] = "bad";
20+
}
21+
22+
$arr = array();
23+
$arr[] = "foo";
24+
$arr[] = "bar";
25+
c($arr);
26+
var_dump($arr);
27+
?>
28+
--EXPECT--
29+
array(2) {
30+
[0]=>
31+
string(3) "foo"
32+
[1]=>
33+
string(3) "bar"
34+
}

Zend/zend_vm_def.h

+5-5
Original file line numberDiff line numberDiff line change
@@ -7250,11 +7250,11 @@ ZEND_VM_HANDLER(156, ZEND_SEPARATE, VAR, UNUSED)
72507250
zval *var_ptr;
72517251

72527252
var_ptr = EX_VAR(opline->op1.var);
7253-
if (Z_TYPE_P(var_ptr) != IS_OBJECT &&
7254-
!Z_ISREF_P(var_ptr) &&
7255-
Z_REFCOUNTED_P(var_ptr) &&
7256-
Z_REFCOUNT_P(var_ptr) > 1) {
7257-
7253+
if (UNEXPECTED(Z_ISREF_P(var_ptr))) {
7254+
if (UNEXPECTED(Z_REFCOUNT_P(var_ptr) == 1)) {
7255+
ZVAL_UNREF(var_ptr);
7256+
}
7257+
} else if (Z_COPYABLE_P(var_ptr) && Z_REFCOUNT_P(var_ptr) > 1) {
72587258
Z_DELREF_P(var_ptr);
72597259
ZVAL_DUP(EX_VAR(opline->op1.var), var_ptr);
72607260
}

Zend/zend_vm_execute.h

+5-5
Original file line numberDiff line numberDiff line change
@@ -19444,11 +19444,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_SEPARATE_SPEC_VAR_UNUSED_HANDL
1944419444
zval *var_ptr;
1944519445

1944619446
var_ptr = EX_VAR(opline->op1.var);
19447-
if (Z_TYPE_P(var_ptr) != IS_OBJECT &&
19448-
!Z_ISREF_P(var_ptr) &&
19449-
Z_REFCOUNTED_P(var_ptr) &&
19450-
Z_REFCOUNT_P(var_ptr) > 1) {
19451-
19447+
if (UNEXPECTED(Z_ISREF_P(var_ptr))) {
19448+
if (UNEXPECTED(Z_REFCOUNT_P(var_ptr) == 1)) {
19449+
ZVAL_UNREF(var_ptr);
19450+
}
19451+
} else if (Z_COPYABLE_P(var_ptr) && Z_REFCOUNT_P(var_ptr) > 1) {
1945219452
Z_DELREF_P(var_ptr);
1945319453
ZVAL_DUP(EX_VAR(opline->op1.var), var_ptr);
1945419454
}

0 commit comments

Comments
 (0)