dmitry Wed, 16 Mar 2011 11:14:33 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=309300
Log:
Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
Bug: http://bugs.php.net/54262 (error getting bug information)
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
A php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt
U php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h
U php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h
U php/php-src/branches/PHP_5_3/NEWS
A php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt
U php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
U php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
U php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h
A php/php-src/trunk/Zend/tests/bug54262.phpt
U php/php-src/trunk/Zend/zend_vm_def.h
U php/php-src/trunk/Zend/zend_vm_execute.h
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_2/NEWS 2011-03-16 11:14:33 UTC (rev 309300)
@@ -4,6 +4,8 @@
- Added ability to connect to HTTPS sites through proxy with basic
authentication using stream_context/http/header/Proxy-Authorization (Dmitry)
+- Fixed bug #54262 (Crash when assigning value to a dimension in a non-array).
+ (Dmitry)
- Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos)
- Fixed bug #53568 (swapped memset arguments in struct initialization).
(crrodriguez at opensuse dot org)
Added: php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt (rev 0)
+++ php/php-src/branches/PHP_5_2/Zend/tests/bug54262.phpt 2011-03-16 11:14:33 UTC (rev 309300)
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54262 (Crash when assigning value to a dimension in a non-array)
+--FILE--
+<?php
+$a = '0';
+var_dump(isset($a['b']));
+$simpleString = preg_match('//', '', $a->a);
+$simpleString["wrong"] = "f";
+echo "ok\n";
+?>
+--EXPECTF--
+bool(true)
+
+Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4
+
+Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5
+ok
\ No newline at end of file
Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_2/Zend/zend_vm_def.h 2011-03-16 11:14:33 UTC (rev 309300)
@@ -2379,10 +2379,9 @@
}
if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
- (*varptr_ptr)->refcount--;
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- (*varptr_ptr)->refcount = 0;
+ ALLOC_INIT_ZVAL(varptr);
+ zend_ptr_stack_push(&EG(argument_stack), varptr);
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
Modified: php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_2/Zend/zend_vm_execute.h 2011-03-16 11:14:33 UTC (rev 309300)
@@ -7606,10 +7606,9 @@
}
if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
- (*varptr_ptr)->refcount--;
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- (*varptr_ptr)->refcount = 0;
+ ALLOC_INIT_ZVAL(varptr);
+ zend_ptr_stack_push(&EG(argument_stack), varptr);
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -20049,10 +20048,9 @@
}
if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
- (*varptr_ptr)->refcount--;
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- (*varptr_ptr)->refcount = 0;
+ ALLOC_INIT_ZVAL(varptr);
+ zend_ptr_stack_push(&EG(argument_stack), varptr);
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/NEWS 2011-03-16 11:14:33 UTC (rev 309300)
@@ -1,6 +1,10 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Mar 2011, PHP 5.3.6
+- Zend Engine:
+ . Fixed bug #54262 (Crash when assigning value to a dimension in a non-array).
+ (Dmitry)
+
- Phar extension:
. Fixed bug #54247 (format-string vulnerability on Phar). (Felipe)
(CVE-2011-1153)
Added: php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt (rev 0)
+++ php/php-src/branches/PHP_5_3/Zend/tests/bug54262.phpt 2011-03-16 11:14:33 UTC (rev 309300)
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54262 (Crash when assigning value to a dimension in a non-array)
+--FILE--
+<?php
+$a = '0';
+var_dump(isset($a['b']));
+$simpleString = preg_match('//', '', $a->a);
+$simpleString["wrong"] = "f";
+echo "ok\n";
+?>
+--EXPECTF--
+bool(true)
+
+Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4
+
+Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5
+ok
\ No newline at end of file
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_def.h 2011-03-16 11:14:33 UTC (rev 309300)
@@ -2694,10 +2694,9 @@
}
if (OP1_TYPE == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
- Z_DELREF_PP(varptr_ptr);
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ ALLOC_INIT_ZVAL(varptr);
+ zend_vm_stack_push(varptr TSRMLS_CC);
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2011-03-16 11:14:33 UTC (rev 309300)
@@ -2,7 +2,7 @@
+----------------------------------------------------------------------+
| Zend Engine |
+----------------------------------------------------------------------+
- | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) |
+ | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) |
+----------------------------------------------------------------------+
| This source file is subject to version 2.00 of the Zend license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -1880,16 +1880,6 @@
return_value_used = RETURN_VALUE_USED(opline);
- if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
- if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
- Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
- zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- } else {
- zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- }
- goto done;
- }
-
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -1943,7 +1933,6 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
-done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
@@ -5165,16 +5154,6 @@
return_value_used = RETURN_VALUE_USED(opline);
- if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
- if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
- Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
- zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- } else {
- zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- }
- goto done;
- }
-
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -5228,7 +5207,6 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
-done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
@@ -8364,10 +8342,9 @@
}
if (IS_VAR == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
- Z_DELREF_PP(varptr_ptr);
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ ALLOC_INIT_ZVAL(varptr);
+ zend_vm_stack_push(varptr TSRMLS_CC);
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -8546,16 +8523,6 @@
return_value_used = RETURN_VALUE_USED(opline);
- if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
- if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
- Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
- zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- } else {
- zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- }
- goto done;
- }
-
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -8609,7 +8576,6 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
-done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
@@ -22248,10 +22214,9 @@
}
if (IS_CV == IS_VAR && *varptr_ptr == EG(error_zval_ptr)) {
- Z_DELREF_PP(varptr_ptr);
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ ALLOC_INIT_ZVAL(varptr);
+ zend_vm_stack_push(varptr TSRMLS_CC);
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.u.opline_num)) {
@@ -22420,16 +22385,6 @@
return_value_used = RETURN_VALUE_USED(opline);
- if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
- if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
- Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
- zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- } else {
- zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
- }
- goto done;
- }
-
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -22483,7 +22438,6 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
-done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_opcodes.h 2011-03-16 11:14:33 UTC (rev 309300)
@@ -2,7 +2,7 @@
+----------------------------------------------------------------------+
| Zend Engine |
+----------------------------------------------------------------------+
- | Copyright (c) 1998-2011 Zend Technologies Ltd. (http://www.zend.com) |
+ | Copyright (c) 1998-2010 Zend Technologies Ltd. (http://www.zend.com) |
+----------------------------------------------------------------------+
| This source file is subject to version 2.00 of the Zend license, |
| that is bundled with this package in the file LICENSE, and is |
Added: php/php-src/trunk/Zend/tests/bug54262.phpt
===================================================================
--- php/php-src/trunk/Zend/tests/bug54262.phpt (rev 0)
+++ php/php-src/trunk/Zend/tests/bug54262.phpt 2011-03-16 11:14:33 UTC (rev 309300)
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54262 (Crash when assigning value to a dimension in a non-array)
+--FILE--
+<?php
+$a = '0';
+var_dump(isset($a['b']));
+$simpleString = preg_match('//', '', $a->a);
+$simpleString["wrong"] = "f";
+echo "ok\n";
+?>
+--EXPECTF--
+bool(true)
+
+Warning: Attempt to modify property of non-object in %s/Zend/tests/bug54262.php on line 4
+
+Warning: Cannot use a scalar value as an array in %s/Zend/tests/bug54262.php on line 5
+ok
\ No newline at end of file
Modified: php/php-src/trunk/Zend/zend_vm_def.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_def.h 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/trunk/Zend/zend_vm_def.h 2011-03-16 11:14:33 UTC (rev 309300)
@@ -3051,10 +3051,10 @@
}
if (OP1_TYPE == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
- Z_DELREF_PP(varptr_ptr);
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ ALLOC_INIT_ZVAL(varptr);
+ zend_vm_stack_push(varptr TSRMLS_CC);
+ CHECK_EXCEPTION();
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
Modified: php/php-src/trunk/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/trunk/Zend/zend_vm_execute.h 2011-03-16 10:56:51 UTC (rev 309299)
+++ php/php-src/trunk/Zend/zend_vm_execute.h 2011-03-16 11:14:33 UTC (rev 309300)
@@ -10621,10 +10621,10 @@
}
if (IS_VAR == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
- Z_DELREF_PP(varptr_ptr);
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ ALLOC_INIT_ZVAL(varptr);
+ zend_vm_stack_push(varptr TSRMLS_CC);
+ CHECK_EXCEPTION();
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
@@ -26310,10 +26310,10 @@
}
if (IS_CV == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
- Z_DELREF_PP(varptr_ptr);
- ALLOC_ZVAL(*varptr_ptr);
- INIT_ZVAL(**varptr_ptr);
- Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ ALLOC_INIT_ZVAL(varptr);
+ zend_vm_stack_push(varptr TSRMLS_CC);
+ CHECK_EXCEPTION();
+ ZEND_VM_NEXT_OPCODE();
}
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
