dmitry Wed, 16 Mar 2011 11:14:33 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=309300
Log: Fixed bug #54262 (Crash when assigning value to a dimension in a non-array) Bug: http://bugs.php.net/54262 (error getting bug information) Changed paths: U php/php-src/branches/PHP_5_2/NEWS A php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt U php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h U php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h U php/php-src/branches/PHP_5_3/NEWS A php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt U php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h U php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h U php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h A php/php-src/trunk/Zend/tests/bug54262.phpt U php/php-src/trunk/Zend/zend_vm_def.h U php/php-src/trunk/Zend/zend_vm_execute.h
Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/branches/PHP_5_2/NEWS 2011-03-16 11:14:33 UTC (rev 309300) @@ -4,6 +4,8 @@ - Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization (Dmitry) +- Fixed bug #54262 (Crash when assigning value to a dimension in a non-array). + (Dmitry) - Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos) - Fixed bug #53568 (swapped memset arguments in struct initialization). (crrodriguez at opensuse dot org) Added: php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt =================================================================== --- php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt (rev 0) +++ php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt 2011-03-16 11:14:33 UTC (rev 309300) @@ -0,0 +1,17 @@ +--TEST-- +Bug #54262 (Crash when assigning value to a dimension in a non-array) +--FILE-- +<?php +$a = '0'; +var_dump(isset($a['b'])); +$simpleString = preg_match('//', '', $a->a); +$simpleString["wrong"] = "f"; +echo "ok\n"; +?> +--EXPECTF-- +bool(true) + +Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4 + +Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5 +ok \ No newline at end of file Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h =================================================================== --- php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2011-03-16 11:14:33 UTC (rev 309300) @@ -2379,10 +2379,9 @@ } if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { - (*varptr_ptr)->refcount--; - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - (*varptr_ptr)->refcount = 0; + ALLOC_INIT_ZVAL(varptr); + zend_ptr_stack_push(&EG(argument_stack), varptr); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h =================================================================== --- php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2011-03-16 11:14:33 UTC (rev 309300) @@ -7606,10 +7606,9 @@ } if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { - (*varptr_ptr)->refcount--; - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - (*varptr_ptr)->refcount = 0; + ALLOC_INIT_ZVAL(varptr); + zend_ptr_stack_push(&EG(argument_stack), varptr); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { @@ -20049,10 +20048,9 @@ } if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { - (*varptr_ptr)->refcount--; - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - (*varptr_ptr)->refcount = 0; + ALLOC_INIT_ZVAL(varptr); + zend_ptr_stack_push(&EG(argument_stack), varptr); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/branches/PHP_5_3/NEWS 2011-03-16 11:14:33 UTC (rev 309300) @@ -1,6 +1,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? Mar 2011, PHP 5.3.6 +- Zend Engine: + . Fixed bug #54262 (Crash when assigning value to a dimension in a non-array). + (Dmitry) + - Phar extension: . Fixed bug #54247 (format-string vulnerability on Phar). (Felipe) (CVE-2011-1153) Added: php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt =================================================================== --- php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt 2011-03-16 11:14:33 UTC (rev 309300) @@ -0,0 +1,17 @@ +--TEST-- +Bug #54262 (Crash when assigning value to a dimension in a non-array) +--FILE-- +<?php +$a = '0'; +var_dump(isset($a['b'])); +$simpleString = preg_match('//', '', $a->a); +$simpleString["wrong"] = "f"; +echo "ok\n"; +?> +--EXPECTF-- +bool(true) + +Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4 + +Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5 +ok \ No newline at end of file Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2011-03-16 11:14:33 UTC (rev 309300) @@ -2694,10 +2694,9 @@ } if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { - Z_DELREF_PP(varptr_ptr); - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - Z_SET_REFCOUNT_PP(varptr_ptr, 0); + ALLOC_INIT_ZVAL(varptr); + zend_vm_stack_push(varptr TSRMLS_CC); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2011-03-16 11:14:33 UTC (rev 309300) @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | Zend Engine | +----------------------------------------------------------------------+ - | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) | + | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) | +----------------------------------------------------------------------+ | This source file is subject to version 2.00 of the Zend license, | | that is bundled with this package in the file LICENSE, and is | @@ -1880,16 +1880,6 @@ return_value_used = RETURN_VALUE_USED(opline); - if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) { - if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE || - Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) { - zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } else { - zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } - goto done; - } - switch (Z_LVAL(opline->op2.u.constant)) { case ZEND_INCLUDE_ONCE: case ZEND_REQUIRE_ONCE: { @@ -1943,7 +1933,6 @@ break; EMPTY_SWITCH_DEFAULT_CASE() } -done: if (inc_filename==&tmp_inc_filename) { zval_dtor(&tmp_inc_filename); } @@ -5165,16 +5154,6 @@ return_value_used = RETURN_VALUE_USED(opline); - if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) { - if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE || - Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) { - zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } else { - zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } - goto done; - } - switch (Z_LVAL(opline->op2.u.constant)) { case ZEND_INCLUDE_ONCE: case ZEND_REQUIRE_ONCE: { @@ -5228,7 +5207,6 @@ break; EMPTY_SWITCH_DEFAULT_CASE() } -done: if (inc_filename==&tmp_inc_filename) { zval_dtor(&tmp_inc_filename); } @@ -8364,10 +8342,9 @@ } if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { - Z_DELREF_PP(varptr_ptr); - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - Z_SET_REFCOUNT_PP(varptr_ptr, 0); + ALLOC_INIT_ZVAL(varptr); + zend_vm_stack_push(varptr TSRMLS_CC); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { @@ -8546,16 +8523,6 @@ return_value_used = RETURN_VALUE_USED(opline); - if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) { - if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE || - Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) { - zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } else { - zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } - goto done; - } - switch (Z_LVAL(opline->op2.u.constant)) { case ZEND_INCLUDE_ONCE: case ZEND_REQUIRE_ONCE: { @@ -8609,7 +8576,6 @@ break; EMPTY_SWITCH_DEFAULT_CASE() } -done: if (inc_filename==&tmp_inc_filename) { zval_dtor(&tmp_inc_filename); } @@ -22248,10 +22214,9 @@ } if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) { - Z_DELREF_PP(varptr_ptr); - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - Z_SET_REFCOUNT_PP(varptr_ptr, 0); + ALLOC_INIT_ZVAL(varptr); + zend_vm_stack_push(varptr TSRMLS_CC); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) { @@ -22420,16 +22385,6 @@ return_value_used = RETURN_VALUE_USED(opline); - if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) { - if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE || - Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) { - zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } else { - zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC); - } - goto done; - } - switch (Z_LVAL(opline->op2.u.constant)) { case ZEND_INCLUDE_ONCE: case ZEND_REQUIRE_ONCE: { @@ -22483,7 +22438,6 @@ break; EMPTY_SWITCH_DEFAULT_CASE() } -done: if (inc_filename==&tmp_inc_filename) { zval_dtor(&tmp_inc_filename); } Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h 2011-03-16 11:14:33 UTC (rev 309300) @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | Zend Engine | +----------------------------------------------------------------------+ - | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) | + | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) | +----------------------------------------------------------------------+ | This source file is subject to version 2.00 of the Zend license, | | that is bundled with this package in the file LICENSE, and is | Added: php/php-src/trunk/Zend/tests/bug54262.phpt =================================================================== --- php/php-src/trunk/Zend/tests/bug54262.phpt (rev 0) +++ php/php-src/trunk/Zend/tests/bug54262.phpt 2011-03-16 11:14:33 UTC (rev 309300) @@ -0,0 +1,17 @@ +--TEST-- +Bug #54262 (Crash when assigning value to a dimension in a non-array) +--FILE-- +<?php +$a = '0'; +var_dump(isset($a['b'])); +$simpleString = preg_match('//', '', $a->a); +$simpleString["wrong"] = "f"; +echo "ok\n"; +?> +--EXPECTF-- +bool(true) + +Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4 + +Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5 +ok \ No newline at end of file Modified: php/php-src/trunk/Zend/zend_vm_def.h =================================================================== --- php/php-src/trunk/Zend/zend_vm_def.h 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/trunk/Zend/zend_vm_def.h 2011-03-16 11:14:33 UTC (rev 309300) @@ -3051,10 +3051,10 @@ } if (OP1_TYPE == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) { - Z_DELREF_PP(varptr_ptr); - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - Z_SET_REFCOUNT_PP(varptr_ptr, 0); + ALLOC_INIT_ZVAL(varptr); + zend_vm_stack_push(varptr TSRMLS_CC); + CHECK_EXCEPTION(); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) { Modified: php/php-src/trunk/Zend/zend_vm_execute.h =================================================================== --- php/php-src/trunk/Zend/zend_vm_execute.h 2011-03-16 10:56:51 UTC (rev 309299) +++ php/php-src/trunk/Zend/zend_vm_execute.h 2011-03-16 11:14:33 UTC (rev 309300) @@ -10621,10 +10621,10 @@ } if (IS_VAR == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) { - Z_DELREF_PP(varptr_ptr); - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - Z_SET_REFCOUNT_PP(varptr_ptr, 0); + ALLOC_INIT_ZVAL(varptr); + zend_vm_stack_push(varptr TSRMLS_CC); + CHECK_EXCEPTION(); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) { @@ -26310,10 +26310,10 @@ } if (IS_CV == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) { - Z_DELREF_PP(varptr_ptr); - ALLOC_ZVAL(*varptr_ptr); - INIT_ZVAL(**varptr_ptr); - Z_SET_REFCOUNT_PP(varptr_ptr, 0); + ALLOC_INIT_ZVAL(varptr); + zend_vm_stack_push(varptr TSRMLS_CC); + CHECK_EXCEPTION(); + ZEND_VM_NEXT_OPCODE(); } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php