diff options
author | Dmitry Stogov <dmitry@php.net> | 2011-03-16 15:21:38 +0000 |
---|---|---|
committer | Dmitry Stogov <dmitry@php.net> | 2011-03-16 15:21:38 +0000 |
commit | 98fc9750f9d66c3a53e315d3e478ced2d893055d (patch) | |
tree | 31d5b5fb4d6bc9af0637728d5a36049e73e652de | |
parent | f822fab4cbff096de8acad8cc593b030249d1e3b (diff) | |
download | php-git-98fc9750f9d66c3a53e315d3e478ced2d893055d.tar.gz |
Fixed bug #54265 (crash when variable gets reassigned in error handler)
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | Zend/tests/bug54265.phpt | 17 | ||||
-rw-r--r-- | Zend/zend_execute.c | 25 |
3 files changed, 43 insertions, 1 deletions
@@ -4,6 +4,8 @@ - Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization (Dmitry) +- Fixed bug #54265 (crash when variable gets reassigned in error handler). + (Dmitry) - Fixed bug #54262 (Crash when assigning value to a dimension in a non-array). (Dmitry) - Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos) diff --git a/Zend/tests/bug54265.phpt b/Zend/tests/bug54265.phpt new file mode 100644 index 0000000000..43db028a2a --- /dev/null +++ b/Zend/tests/bug54265.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #54265 (crash when variable gets reassigned in error handler) +--FILE-- +<?php +function my_errorhandler($errno,$errormsg) { + global $my_var; + $my_var = 0; + echo "EROOR: $errormsg\n"; +} +set_error_handler("my_errorhandler"); +$my_var = str_repeat("A",$my_var[0]->errormsg = "xyz"); +echo "ok\n"; +?> +--EXPECT-- +EROOR: Creating default object from empty value +ok + diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index bfd282b14d..701b8c9848 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -542,7 +542,30 @@ static inline void zend_assign_to_object(znode *result, zval **object_ptr, znode return; } - make_real_object(object_ptr TSRMLS_CC); /* this should modify object only if it's empty */ + if (Z_TYPE_PP(object_ptr) == IS_NULL + || (Z_TYPE_PP(object_ptr) == IS_BOOL && Z_LVAL_PP(object_ptr) == 0) + || (Z_TYPE_PP(object_ptr) == IS_STRING && Z_STRLEN_PP(object_ptr) == 0) + ) { + SEPARATE_ZVAL_IF_NOT_REF(object_ptr); + object = *object_ptr; + object->refcount++; + zend_error(E_STRICT, "Creating default object from empty value"); + if (object->refcount == 1) { + /* object was removed by error handler, nothing to assign to */ + zval_ptr_dtor(&object); + FREE_OP(free_op2); + if (!RETURN_VALUE_UNUSED(result)) { + *retval = &EG(uninitialized_zval); + PZVAL_LOCK(*retval); + } + FREE_OP(free_value); + return; + } + object->refcount--; + zval_dtor(object); + object_init(object); + } + object = *object_ptr; if (Z_TYPE_P(object) != IS_OBJECT || (opcode == ZEND_ASSIGN_OBJ && !Z_OBJ_HT_P(object)->write_property)) { |