dmitry Mon, 05 Jul 2010 09:08:35 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=300990
Log: Fixed bug #52237 (Crash when passing the reference of the property of a non-object) Bug: http://bugs.php.net/52237 (Assigned) Crash when passing the reference of the property of a non-object Changed paths: U php/php-src/branches/PHP_5_2/NEWS A php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt U php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h U php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h A php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt U php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h U php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h A php/php-src/trunk/Zend/tests/bug52237.phpt U php/php-src/trunk/Zend/zend_vm_def.h U php/php-src/trunk/Zend/zend_vm_execute.h
Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-07-05 08:11:41 UTC (rev 300989) +++ php/php-src/branches/PHP_5_2/NEWS 2010-07-05 09:08:35 UTC (rev 300990) @@ -4,6 +4,8 @@ - Fixed bug #52238 (Crash when an Exception occured in iterator_to_array). (Johannes) +- Fixed bug #52237 (Crash when passing the reference of the property of a + non-object). (Dmitry) 01 Jul 2010, PHP 5.2.14RC2 - Fixed a possible interruption array leak in strrchr(). Reported by Added: php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt =================================================================== --- php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt (rev 0) +++ php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt 2010-07-05 09:08:35 UTC (rev 300990) @@ -0,0 +1,10 @@ +--TEST-- +Bug #52237 (Crash when passing the reference of the property of a non-object) +--FILE-- +<?php +$data = 'test'; +preg_match('//', '', $data->info); +var_dump($data); +?> +--EXPECT-- +string(4) "test" Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h =================================================================== --- php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2010-07-05 08:11:41 UTC (rev 300989) +++ php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2010-07-05 09:08:35 UTC (rev 300990) @@ -2378,10 +2378,17 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } - if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { - ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper); - } + if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { + (*varptr_ptr)->refcount--; + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + (*varptr_ptr)->refcount = 0; + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { + ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper); + } + SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr); varptr = *varptr_ptr; varptr->refcount++; Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h =================================================================== --- php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2010-07-05 08:11:41 UTC (rev 300989) +++ php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2010-07-05 09:08:35 UTC (rev 300990) @@ -7605,10 +7605,17 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } - if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { - return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); - } + if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { + (*varptr_ptr)->refcount--; + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + (*varptr_ptr)->refcount = 0; + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { + return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); + } + SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr); varptr = *varptr_ptr; varptr->refcount++; @@ -20041,10 +20048,17 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } - if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { - return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); - } + if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { + (*varptr_ptr)->refcount--; + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + (*varptr_ptr)->refcount = 0; + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { + return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); + } + SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr); varptr = *varptr_ptr; varptr->refcount++; Added: php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt =================================================================== --- php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt 2010-07-05 09:08:35 UTC (rev 300990) @@ -0,0 +1,11 @@ +--TEST-- +Bug #52237 (Crash when passing the reference of the property of a non-object) +--FILE-- +<?php +$data = 'test'; +preg_match('//', '', $data->info); +var_dump($data); +?> +--EXPECTF-- +Warning: Attempt to modify property of non-object in %sbug52237.php on line 3 +string(4) "test" Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2010-07-05 08:11:41 UTC (rev 300989) +++ php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2010-07-05 09:08:35 UTC (rev 300990) @@ -2693,10 +2693,17 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } - if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { - ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper); - } + if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { + Z_DELREF_PP(varptr_ptr); + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + Z_SET_REFCOUNT_PP(varptr_ptr, 0); + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { + ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper); + } + SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr); varptr = *varptr_ptr; Z_ADDREF_P(varptr); Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2010-07-05 08:11:41 UTC (rev 300989) +++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2010-07-05 09:08:35 UTC (rev 300990) @@ -8341,10 +8341,17 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } - if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { - return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); - } + if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { + Z_DELREF_PP(varptr_ptr); + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + Z_SET_REFCOUNT_PP(varptr_ptr, 0); + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { + return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); + } + SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr); varptr = *varptr_ptr; Z_ADDREF_P(varptr); @@ -22207,10 +22214,17 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } - if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { - return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); - } + if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { + Z_DELREF_PP(varptr_ptr); + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + Z_SET_REFCOUNT_PP(varptr_ptr, 0); + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { + return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); + } + SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr); varptr = *varptr_ptr; Z_ADDREF_P(varptr); Added: php/php-src/trunk/Zend/tests/bug52237.phpt =================================================================== --- php/php-src/trunk/Zend/tests/bug52237.phpt (rev 0) +++ php/php-src/trunk/Zend/tests/bug52237.phpt 2010-07-05 09:08:35 UTC (rev 300990) @@ -0,0 +1,12 @@ +--TEST-- +Bug #52237 (Crash when passing the reference of the property of a non-object) +--FILE-- +<?php +$data = 'test'; +preg_match('//', '', $data->info); +var_dump($data); +?> +--EXPECTF-- + +Warning: Attempt to modify property of non-object in %sbug52237.php on line 3 +string(4) "test" Modified: php/php-src/trunk/Zend/zend_vm_def.h =================================================================== --- php/php-src/trunk/Zend/zend_vm_def.h 2010-07-05 08:11:41 UTC (rev 300989) +++ php/php-src/trunk/Zend/zend_vm_def.h 2010-07-05 09:08:35 UTC (rev 300990) @@ -3078,6 +3078,13 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } + if (OP1_TYPE == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) { + Z_DELREF_PP(varptr_ptr); + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + Z_SET_REFCOUNT_PP(varptr_ptr, 0); + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) { ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper); } Modified: php/php-src/trunk/Zend/zend_vm_execute.h =================================================================== --- php/php-src/trunk/Zend/zend_vm_execute.h 2010-07-05 08:11:41 UTC (rev 300989) +++ php/php-src/trunk/Zend/zend_vm_execute.h 2010-07-05 09:08:35 UTC (rev 300990) @@ -10510,6 +10510,13 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } + if (IS_VAR == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) { + Z_DELREF_PP(varptr_ptr); + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + Z_SET_REFCOUNT_PP(varptr_ptr, 0); + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) { return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } @@ -26466,6 +26473,13 @@ zend_error_noreturn(E_ERROR, "Only variables can be passed by reference"); } + if (IS_CV == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) { + Z_DELREF_PP(varptr_ptr); + ALLOC_ZVAL(*varptr_ptr); + INIT_ZVAL(**varptr_ptr); + Z_SET_REFCOUNT_PP(varptr_ptr, 0); + } + if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) { return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php