dmitry Mon, 07 Dec 2009 08:47:18 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=291810
Log:
Fixed bug #49866 (Making reference on string offsets crashes PHP)
Bug: http://bugs.php.net/49866 (Assigned) Making reference on string offsets
crashes PHP
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
A php/php-src/branches/PHP_5_3/Zend/tests/bug49866.phpt
U php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
U php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
A php/php-src/trunk/Zend/tests/bug49866.phpt
U php/php-src/trunk/Zend/zend_vm_def.h
U php/php-src/trunk/Zend/zend_vm_execute.h
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2009-12-07 08:18:24 UTC (rev 291809)
+++ php/php-src/branches/PHP_5_3/NEWS 2009-12-07 08:47:18 UTC (rev 291810)
@@ -88,6 +88,7 @@
- Fixed bug #49936 (crash with ftp stream in php_stream_context_get_option()).
(Pierrick)
- Fixed bug #49921 (Curl post upload functions changed). (Ilia)
+- Fixed bug #49866 (Making reference on string offsets crashes PHP). (Dmitry)
- Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia,
sjoerd at php dot net)
- Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning).
Added: php/php-src/branches/PHP_5_3/Zend/tests/bug49866.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/tests/bug49866.phpt (rev 0)
+++ php/php-src/branches/PHP_5_3/Zend/tests/bug49866.phpt 2009-12-07 08:47:18 UTC (rev 291810)
@@ -0,0 +1,10 @@
+--TEST--
+Bug #49866 (Making reference on string offsets crashes PHP)
+--FILE--
+<?php
+$a = "string";
+$b = &$a[1];
+$b = "f";
+echo $a;
+--EXPECTF--
+Fatal error: Cannot create references to/from string offsets nor overloaded objects in %sbug49866.php on line 3
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2009-12-07 08:18:24 UTC (rev 291809)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2009-12-07 08:47:18 UTC (rev 291810)
@@ -1100,7 +1100,7 @@
FREE_OP1_VAR_PTR();
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2009-12-07 08:18:24 UTC (rev 291809)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2009-12-07 08:47:18 UTC (rev 291810)
@@ -9864,7 +9864,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -11667,7 +11667,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -13416,7 +13416,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -14756,7 +14756,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -15807,7 +15807,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -23567,7 +23567,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -25204,7 +25204,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -26844,7 +26844,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -28074,7 +28074,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -29026,7 +29026,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
Added: php/php-src/trunk/Zend/tests/bug49866.phpt
===================================================================
--- php/php-src/trunk/Zend/tests/bug49866.phpt (rev 0)
+++ php/php-src/trunk/Zend/tests/bug49866.phpt 2009-12-07 08:47:18 UTC (rev 291810)
@@ -0,0 +1,10 @@
+--TEST--
+Bug #49866 (Making reference on string offsets crashes PHP)
+--FILE--
+<?php
+$a = "string";
+$b = &$a[1];
+$b = "f";
+echo $a;
+--EXPECTF--
+Fatal error: Cannot create references to/from string offsets nor overloaded objects in %sbug49866.php on line 3
Modified: php/php-src/trunk/Zend/zend_vm_def.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_def.h 2009-12-07 08:18:24 UTC (rev 291809)
+++ php/php-src/trunk/Zend/zend_vm_def.h 2009-12-07 08:47:18 UTC (rev 291810)
@@ -1137,7 +1137,7 @@
FREE_OP1_VAR_PTR();
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
Modified: php/php-src/trunk/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_execute.h 2009-12-07 08:18:24 UTC (rev 291809)
+++ php/php-src/trunk/Zend/zend_vm_execute.h 2009-12-07 08:47:18 UTC (rev 291810)
@@ -10257,7 +10257,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -12170,7 +12170,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -13988,7 +13988,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -15394,7 +15394,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -16455,7 +16455,7 @@
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -24637,7 +24637,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -26369,7 +26369,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -28075,7 +28075,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -29368,7 +29368,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -30327,7 +30327,7 @@
}
/* We are going to assign the result by reference */
- if (opline->extended_value) {
+ if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
