Commit: c96a5bc6be99ff8a4c5dbc1ea3c04d8144bc47a9 Author: Xinchen Hui <larue...@php.net> Thu, 4 Apr 2013 14:34:11 +0800 Parents: 9456dac54e89bdfdf9904739bae315aae9a14a81 Branches: PHP-5.3
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=c96a5bc6be99ff8a4c5dbc1ea3c04d8144bc47a9 Log: Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault) Bugs: https://bugs.php.net/64578 Changed paths: M NEWS A Zend/tests/bug64578.phpt M Zend/zend_execute.c Diff: diff --git a/NEWS b/NEWS index 18fe3e5..7839016 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2013, PHP 5.3.25 +- Core: + . Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: + segfault). (Laruence) ?? ??? 2013, PHP 5.3.24 diff --git a/Zend/tests/bug64578.phpt b/Zend/tests/bug64578.phpt new file mode 100644 index 0000000..65c51d9 --- /dev/null +++ b/Zend/tests/bug64578.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault) +--FILE-- +<?php +function x($s) { + $resource = fopen("php://input", "r"); + $s[$resource] = '2'; +} +$y = "1"; +x($y); +var_dump($y); +?> +--EXPECTF-- +Warning: Illegal offset type in %sbug64578.php on line %d +string(1) "1" diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index de7cd4a..16dc08e 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -937,6 +937,10 @@ convert_to_array: zend_error_noreturn(E_ERROR, "[] operator not supported for strings"); } + if (type != BP_VAR_UNSET) { + SEPARATE_ZVAL_IF_NOT_REF(container_ptr); + } + if (Z_TYPE_P(dim) != IS_LONG) { switch(Z_TYPE_P(dim)) { /* case IS_LONG: */ @@ -956,9 +960,6 @@ convert_to_array: convert_to_long(&tmp); dim = &tmp; } - if (type != BP_VAR_UNSET) { - SEPARATE_ZVAL_IF_NOT_REF(container_ptr); - } container = *container_ptr; result->str_offset.str = container; PZVAL_LOCK(container); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
