diff options
author | Xinchen Hui <laruence@php.net> | 2013-04-04 14:34:11 +0800 |
---|---|---|
committer | Xinchen Hui <laruence@php.net> | 2013-04-04 14:34:11 +0800 |
commit | c96a5bc6be99ff8a4c5dbc1ea3c04d8144bc47a9 (patch) | |
tree | b205505b2f7cc6b5f54d4e229f4d16bc8184cd32 | |
parent | 9456dac54e89bdfdf9904739bae315aae9a14a81 (diff) | |
download | php-git-c96a5bc6be99ff8a4c5dbc1ea3c04d8144bc47a9.tar.gz |
Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | Zend/tests/bug64578.phpt | 15 | ||||
-rw-r--r-- | Zend/zend_execute.c | 7 |
3 files changed, 22 insertions, 3 deletions
@@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2013, PHP 5.3.25 +- Core: + . Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: + segfault). (Laruence) ?? ??? 2013, PHP 5.3.24 diff --git a/Zend/tests/bug64578.phpt b/Zend/tests/bug64578.phpt new file mode 100644 index 0000000000..65c51d94ff --- /dev/null +++ b/Zend/tests/bug64578.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault) +--FILE-- +<?php +function x($s) { + $resource = fopen("php://input", "r"); + $s[$resource] = '2'; +} +$y = "1"; +x($y); +var_dump($y); +?> +--EXPECTF-- +Warning: Illegal offset type in %sbug64578.php on line %d +string(1) "1" diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index de7cd4a486..16dc08e502 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -937,6 +937,10 @@ convert_to_array: zend_error_noreturn(E_ERROR, "[] operator not supported for strings"); } + if (type != BP_VAR_UNSET) { + SEPARATE_ZVAL_IF_NOT_REF(container_ptr); + } + if (Z_TYPE_P(dim) != IS_LONG) { switch(Z_TYPE_P(dim)) { /* case IS_LONG: */ @@ -956,9 +960,6 @@ convert_to_array: convert_to_long(&tmp); dim = &tmp; } - if (type != BP_VAR_UNSET) { - SEPARATE_ZVAL_IF_NOT_REF(container_ptr); - } container = *container_ptr; result->str_offset.str = container; PZVAL_LOCK(container); |