dmitry Mon, 05 Jul 2010 09:08:35 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=300990
Log:
Fixed bug #52237 (Crash when passing the reference of the property of a
non-object)
Bug: http://bugs.php.net/52237 (Assigned) Crash when passing the reference of
the property of a non-object
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
A php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt
U php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h
U php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h
A php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt
U php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
U php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
A php/php-src/trunk/Zend/tests/bug52237.phpt
U php/php-src/trunk/Zend/zend_vm_def.h
U php/php-src/trunk/Zend/zend_vm_execute.h
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2010-07-05 08:11:41 UTC (rev 300989)
+++ php/php-src/branches/PHP_5_2/NEWS 2010-07-05 09:08:35 UTC (rev 300990)
@@ -4,6 +4,8 @@
- Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
(Johannes)
+- Fixed bug #52237 (Crash when passing the reference of the property of a
+ non-object). (Dmitry)
01 Jul 2010, PHP 5.2.14RC2
- Fixed a possible interruption array leak in strrchr(). Reported by
Added: php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt (rev 0)
+++ php/php-src/branches/PHP_5_2/Zend/tests/bug52237.phpt 2010-07-05 09:08:35 UTC (rev 300990)
@@ -0,0 +1,10 @@
+--TEST--
+Bug #52237 (Crash when passing the reference of the property of a non-object)
+--FILE--
+<?php
+$data = 'test';
+preg_match('//', '', $data->info);
+var_dump($data);
+?>
+--EXPECT--
+string(4) "test"
Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2010-07-05 08:11:41 UTC (rev 300989)
+++ php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2010-07-05 09:08:35 UTC (rev 300990)
@@ -2378,10 +2378,17 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
- if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
- ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
- }
+ if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+ (*varptr_ptr)->refcount--;
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ (*varptr_ptr)->refcount = 0;
+ }
+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+ ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
+ }
+
SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
varptr = *varptr_ptr;
varptr->refcount++;
Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2010-07-05 08:11:41 UTC (rev 300989)
+++ php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2010-07-05 09:08:35 UTC (rev 300990)
@@ -7605,10 +7605,17 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
- if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
- return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
- }
+ if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+ (*varptr_ptr)->refcount--;
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ (*varptr_ptr)->refcount = 0;
+ }
+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+ return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+ }
+
SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
varptr = *varptr_ptr;
varptr->refcount++;
@@ -20041,10 +20048,17 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
- if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
- return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
- }
+ if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+ (*varptr_ptr)->refcount--;
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ (*varptr_ptr)->refcount = 0;
+ }
+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+ return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+ }
+
SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
varptr = *varptr_ptr;
varptr->refcount++;
Added: php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt (rev 0)
+++ php/php-src/branches/PHP_5_3/Zend/tests/bug52237.phpt 2010-07-05 09:08:35 UTC (rev 300990)
@@ -0,0 +1,11 @@
+--TEST--
+Bug #52237 (Crash when passing the reference of the property of a non-object)
+--FILE--
+<?php
+$data = 'test';
+preg_match('//', '', $data->info);
+var_dump($data);
+?>
+--EXPECTF--
+Warning: Attempt to modify property of non-object in %sbug52237.php on line 3
+string(4) "test"
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2010-07-05 08:11:41 UTC (rev 300989)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2010-07-05 09:08:35 UTC (rev 300990)
@@ -2693,10 +2693,17 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
- if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
- ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
- }
+ if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+ ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
+ }
+
SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
varptr = *varptr_ptr;
Z_ADDREF_P(varptr);
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2010-07-05 08:11:41 UTC (rev 300989)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2010-07-05 09:08:35 UTC (rev 300990)
@@ -8341,10 +8341,17 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
- if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
- return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
- }
+ if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+ return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+ }
+
SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
varptr = *varptr_ptr;
Z_ADDREF_P(varptr);
@@ -22207,10 +22214,17 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
- if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
- return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
- }
+ if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
+ return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
+ }
+
SEPARATE_ZVAL_TO_MAKE_IS_REF(varptr_ptr);
varptr = *varptr_ptr;
Z_ADDREF_P(varptr);
Added: php/php-src/trunk/Zend/tests/bug52237.phpt
===================================================================
--- php/php-src/trunk/Zend/tests/bug52237.phpt (rev 0)
+++ php/php-src/trunk/Zend/tests/bug52237.phpt 2010-07-05 09:08:35 UTC (rev 300990)
@@ -0,0 +1,12 @@
+--TEST--
+Bug #52237 (Crash when passing the reference of the property of a non-object)
+--FILE--
+<?php
+$data = 'test';
+preg_match('//', '', $data->info);
+var_dump($data);
+?>
+--EXPECTF--
+
+Warning: Attempt to modify property of non-object in %sbug52237.php on line 3
+string(4) "test"
Modified: php/php-src/trunk/Zend/zend_vm_def.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_def.h 2010-07-05 08:11:41 UTC (rev 300989)
+++ php/php-src/trunk/Zend/zend_vm_def.h 2010-07-05 09:08:35 UTC (rev 300990)
@@ -3078,6 +3078,13 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
+ if (OP1_TYPE == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
}
Modified: php/php-src/trunk/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_execute.h 2010-07-05 08:11:41 UTC (rev 300989)
+++ php/php-src/trunk/Zend/zend_vm_execute.h 2010-07-05 09:08:35 UTC (rev 300990)
@@ -10510,6 +10510,13 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
+ if (IS_VAR == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
}
@@ -26466,6 +26473,13 @@
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
+ if (IS_CV == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
