dmitry                                   Wed, 16 Mar 2011 11:14:33 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=309300

Log:
Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)

Bug: http://bugs.php.net/54262 (error getting bug information)
      
Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    A   php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt
    U   php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h
    U   php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h
    U   php/php-src/branches/PHP_5_3/NEWS
    A   php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt
    U   php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
    U   php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
    U   php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h
    A   php/php-src/trunk/Zend/tests/bug54262.phpt
    U   php/php-src/trunk/Zend/zend_vm_def.h
    U   php/php-src/trunk/Zend/zend_vm_execute.h

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_2/NEWS	2011-03-16 11:14:33 UTC (rev 309300)
@@ -4,6 +4,8 @@
 - Added ability to connect to HTTPS sites through proxy with basic
   authentication using stream_context/http/header/Proxy-Authorization (Dmitry)

+- Fixed bug #54262 (Crash when assigning value to a dimension in a non-array).
+  (Dmitry)
 - Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos)
 - Fixed bug #53568 (swapped memset arguments in struct initialization).
   (crrodriguez at opensuse dot org)

Added: php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt	                        (rev 0)
+++ php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt	2011-03-16 11:14:33 UTC (rev 309300)
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54262 (Crash when assigning value to a dimension in a non-array)
+--FILE--
+<?php
+$a = '0';
+var_dump(isset($a['b']));
+$simpleString = preg_match('//', '', $a->a);
+$simpleString["wrong"] = "f";
+echo "ok\n";
+?>
+--EXPECTF--
+bool(true)
+
+Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4
+
+Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5
+ok
\ No newline at end of file

Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h	2011-03-16 11:14:33 UTC (rev 309300)
@@ -2379,10 +2379,9 @@
 	}

 	if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-		(*varptr_ptr)->refcount--;
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		(*varptr_ptr)->refcount = 0;
+		ALLOC_INIT_ZVAL(varptr);
+		zend_ptr_stack_push(&EG(argument_stack), varptr);
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {

Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h	2011-03-16 11:14:33 UTC (rev 309300)
@@ -7606,10 +7606,9 @@
 	}

 	if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-		(*varptr_ptr)->refcount--;
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		(*varptr_ptr)->refcount = 0;
+		ALLOC_INIT_ZVAL(varptr);
+		zend_ptr_stack_push(&EG(argument_stack), varptr);
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -20049,10 +20048,9 @@
 	}

 	if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-		(*varptr_ptr)->refcount--;
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		(*varptr_ptr)->refcount = 0;
+		ALLOC_INIT_ZVAL(varptr);
+		zend_ptr_stack_push(&EG(argument_stack), varptr);
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/NEWS	2011-03-16 11:14:33 UTC (rev 309300)
@@ -1,6 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Mar 2011, PHP 5.3.6
+- Zend Engine:
+  . Fixed bug #54262 (Crash when assigning value to a dimension in a non-array).
+    (Dmitry)
+
 - Phar extension:
   . Fixed bug #54247 (format-string vulnerability on Phar). (Felipe)
     (CVE-2011-1153)

Added: php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt	                        (rev 0)
+++ php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt	2011-03-16 11:14:33 UTC (rev 309300)
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54262 (Crash when assigning value to a dimension in a non-array)
+--FILE--
+<?php
+$a = '0';
+var_dump(isset($a['b']));
+$simpleString = preg_match('//', '', $a->a);
+$simpleString["wrong"] = "f";
+echo "ok\n";
+?>
+--EXPECTF--
+bool(true)
+
+Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4
+
+Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5
+ok
\ No newline at end of file

Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h	2011-03-16 11:14:33 UTC (rev 309300)
@@ -2694,10 +2694,9 @@
 	}

 	if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-		Z_DELREF_PP(varptr_ptr);
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+		ALLOC_INIT_ZVAL(varptr);
+		zend_vm_stack_push(varptr TSRMLS_CC);
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {

Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h	2011-03-16 11:14:33 UTC (rev 309300)
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | Zend Engine                                                          |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) |
+   | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) |
    +----------------------------------------------------------------------+
    | This source file is subject to version 2.00 of the Zend license,     |
    | that is bundled with this package in the file LICENSE, and is        |
@@ -1880,16 +1880,6 @@

 	return_value_used = RETURN_VALUE_USED(opline);

-	if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-		if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-		    Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-			zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		} else {
-			zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		}
-		goto done;
-	}
-
 	switch (Z_LVAL(opline->op2.u.constant)) {
 		case ZEND_INCLUDE_ONCE:
 		case ZEND_REQUIRE_ONCE: {
@@ -1943,7 +1933,6 @@
 			break;
 		EMPTY_SWITCH_DEFAULT_CASE()
 	}
-done:
 	if (inc_filename==&tmp_inc_filename) {
 		zval_dtor(&tmp_inc_filename);
 	}
@@ -5165,16 +5154,6 @@

 	return_value_used = RETURN_VALUE_USED(opline);

-	if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-		if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-		    Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-			zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		} else {
-			zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		}
-		goto done;
-	}
-
 	switch (Z_LVAL(opline->op2.u.constant)) {
 		case ZEND_INCLUDE_ONCE:
 		case ZEND_REQUIRE_ONCE: {
@@ -5228,7 +5207,6 @@
 			break;
 		EMPTY_SWITCH_DEFAULT_CASE()
 	}
-done:
 	if (inc_filename==&tmp_inc_filename) {
 		zval_dtor(&tmp_inc_filename);
 	}
@@ -8364,10 +8342,9 @@
 	}

 	if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-		Z_DELREF_PP(varptr_ptr);
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+		ALLOC_INIT_ZVAL(varptr);
+		zend_vm_stack_push(varptr TSRMLS_CC);
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -8546,16 +8523,6 @@

 	return_value_used = RETURN_VALUE_USED(opline);

-	if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-		if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-		    Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-			zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		} else {
-			zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		}
-		goto done;
-	}
-
 	switch (Z_LVAL(opline->op2.u.constant)) {
 		case ZEND_INCLUDE_ONCE:
 		case ZEND_REQUIRE_ONCE: {
@@ -8609,7 +8576,6 @@
 			break;
 		EMPTY_SWITCH_DEFAULT_CASE()
 	}
-done:
 	if (inc_filename==&tmp_inc_filename) {
 		zval_dtor(&tmp_inc_filename);
 	}
@@ -22248,10 +22214,9 @@
 	}

 	if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
-		Z_DELREF_PP(varptr_ptr);
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+		ALLOC_INIT_ZVAL(varptr);
+		zend_vm_stack_push(varptr TSRMLS_CC);
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -22420,16 +22385,6 @@

 	return_value_used = RETURN_VALUE_USED(opline);

-	if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
-		if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
-		    Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
-			zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		} else {
-			zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
-		}
-		goto done;
-	}
-
 	switch (Z_LVAL(opline->op2.u.constant)) {
 		case ZEND_INCLUDE_ONCE:
 		case ZEND_REQUIRE_ONCE: {
@@ -22483,7 +22438,6 @@
 			break;
 		EMPTY_SWITCH_DEFAULT_CASE()
 	}
-done:
 	if (inc_filename==&tmp_inc_filename) {
 		zval_dtor(&tmp_inc_filename);
 	}

Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h	2011-03-16 11:14:33 UTC (rev 309300)
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | Zend Engine                                                          |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) |
+   | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) |
    +----------------------------------------------------------------------+
    | This source file is subject to version 2.00 of the Zend license,     |
    | that is bundled with this package in the file LICENSE, and is        |

Added: php/php-src/trunk/Zend/tests/bug54262.phpt
===================================================================
--- php/php-src/trunk/Zend/tests/bug54262.phpt	                        (rev 0)
+++ php/php-src/trunk/Zend/tests/bug54262.phpt	2011-03-16 11:14:33 UTC (rev 309300)
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54262 (Crash when assigning value to a dimension in a non-array)
+--FILE--
+<?php
+$a = '0';
+var_dump(isset($a['b']));
+$simpleString = preg_match('//', '', $a->a);
+$simpleString["wrong"] = "f";
+echo "ok\n";
+?>
+--EXPECTF--
+bool(true)
+
+Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4
+
+Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5
+ok
\ No newline at end of file

Modified: php/php-src/trunk/Zend/zend_vm_def.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_def.h	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/trunk/Zend/zend_vm_def.h	2011-03-16 11:14:33 UTC (rev 309300)
@@ -3051,10 +3051,10 @@
 	}

 	if (OP1_TYPE == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
-		Z_DELREF_PP(varptr_ptr);
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+		ALLOC_INIT_ZVAL(varptr);
+		zend_vm_stack_push(varptr TSRMLS_CC);
+		CHECK_EXCEPTION();
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {

Modified: php/php-src/trunk/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_execute.h	2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/trunk/Zend/zend_vm_execute.h	2011-03-16 11:14:33 UTC (rev 309300)
@@ -10621,10 +10621,10 @@
 	}

 	if (IS_VAR == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
-		Z_DELREF_PP(varptr_ptr);
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+		ALLOC_INIT_ZVAL(varptr);
+		zend_vm_stack_push(varptr TSRMLS_CC);
+		CHECK_EXCEPTION();
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
@@ -26310,10 +26310,10 @@
 	}

 	if (IS_CV == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
-		Z_DELREF_PP(varptr_ptr);
-		ALLOC_ZVAL(*varptr_ptr);
-		INIT_ZVAL(**varptr_ptr);
-		Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+		ALLOC_INIT_ZVAL(varptr);
+		zend_vm_stack_push(varptr TSRMLS_CC);
+		CHECK_EXCEPTION();
+		ZEND_VM_NEXT_OPCODE();
 	}

 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to