Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER)

3 files changed, 29 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 5ffad7624a..9a200f9a10 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Core: 
   . Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)
 
+- Opcache:
+  . Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
+    (Laruence)
+
 - Standard:
   . Fixed bug #71840 (Unserialize accepts wrongly data). (Ryat, Laruence)
 
diff --git a/ext/opcache/Optimizer/block_pass.c b/ext/opcache/Optimizer/block_pass.c
index c146d0cc8c..bf3f144cc1 100644
--- a/ext/opcache/Optimizer/block_pass.c
+++ b/ext/opcache/Optimizer/block_pass.c
@@ -716,8 +716,11 @@ static void zend_optimize_block(zend_code_block *block, zend_op_array *op_array,
 			if (src->opcode == ZEND_BOOL) {
 				if (ZEND_OP1_TYPE(src) == IS_CONST) {
 					literal_dtor(&ZEND_OP1_LITERAL(src));
+				} else if (ZEND_OP1_TYPE(src) == IS_TMP_VAR) {
+					src->opcode = ZEND_FREE;
+				} else {
+					MAKE_NOP(src);
 				}
-				MAKE_NOP(src);
 				MAKE_NOP(opline);
 			}
 		}
diff --git a/ext/opcache/tests/bug71843.phpt b/ext/opcache/tests/bug71843.phpt
new file mode 100644
index 0000000000..7fcf32c032
--- /dev/null
+++ b/ext/opcache/tests/bug71843.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3479))
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=0xFFFFBFFF
+--SKIPIF--
+<?php if (!extension_loaded('Zend OPcache')) die("skip"); ?>
+--FILE--
+<?
+0 & ~E & ~R;
+6 && ~See
+?>
+okey
+--EXPECTF--
+Notice: Use of undefined constant E - assumed 'E' in %sbug71843.php on line %d
+
+Notice: Use of undefined constant R - assumed 'R' in %sbug71843.php on line %d
+
+Notice: Use of undefined constant See - assumed 'See' in %sbug71843.php on line %d
+okey