diff options
| author | Xinchen Hui <laruence@php.net> | 2013-06-09 13:20:40 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@php.net> | 2013-06-09 13:20:40 +0800 |
| commit | e8f004d54252e0130b88131bdc46a41ed365c51e (patch) | |
| tree | 24f42eadf0e6efeaaf2c426bd29754ede572974a | |
| parent | 1aee7ad63672747bd941f169ef42bed5765137e0 (diff) | |
| download | php-git-e8f004d54252e0130b88131bdc46a41ed365c51e.tar.gz | |
Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug64966.phpt | 30 | ||||
| -rw-r--r-- | Zend/zend_vm_def.h | 2 | ||||
| -rw-r--r-- | Zend/zend_vm_execute.h | 2 |
4 files changed, 36 insertions, 0 deletions
@@ -1,7 +1,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2013, PHP 5.3.27 + - Core: + . Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC). (Laruence) . Fixed bug #64960 (Segfault in gc_zval_possible_root). (Laruence) . Fixed bug #64934 (Apache2 TS crash with get_browser()). (Anatol) diff --git a/Zend/tests/bug64966.phpt b/Zend/tests/bug64966.phpt new file mode 100644 index 0000000000..27fec3b72a --- /dev/null +++ b/Zend/tests/bug64966.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #64966 (segfault in zend_do_fcall_common_helper_SPEC) +--FILE-- +<?php +error_reporting(E_ALL); +set_error_handler(function($error) { throw new Exception(); }, E_RECOVERABLE_ERROR); + +function test($func) { + $a = $func(""); + return true; +} +class A { + public function b() { + test("strlen"); + test("iterator_apply"); + } +} + +$a = new A(); +$a->b(); +?> +--EXPECTF-- +Fatal error: Uncaught exception 'Exception' in %sbug64966.php:3 +Stack trace: +#0 [internal function]: {closure}(4096, 'Argument 1 pass...', '/home/huixinche...', 6, Array) +#1 %sbug64966.php(6): iterator_apply('') +#2 %sbug64966.php(12): test('iterator_apply') +#3 %sbug64966.php(17): A->b() +#4 {main} + thrown in %sbug64966.php on line 3 diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 02566f365d..d471f399e0 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -2327,6 +2327,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY) if (!RETURN_VALUE_USED(opline)) { zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr); } + } else if (RETURN_VALUE_USED(opline)) { + EX_T(opline->result.u.var).var.ptr = NULL; } } else if (EX(function_state).function->type == ZEND_USER_FUNCTION) { EX(original_return_value) = EG(return_value_ptr_ptr); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index f6220b0f53..993b822aa7 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -327,6 +327,8 @@ static int ZEND_FASTCALL zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_AR if (!RETURN_VALUE_USED(opline)) { zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr); } + } else if (RETURN_VALUE_USED(opline)) { + EX_T(opline->result.u.var).var.ptr = NULL; } } else if (EX(function_state).function->type == ZEND_USER_FUNCTION) { EX(original_return_value) = EG(return_value_ptr_ptr); |