diff options
| author | Xinchen Hui <laruence@gmail.com> | 2017-11-29 14:46:21 +0800 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2017-12-04 11:50:44 +0100 |
| commit | d4dee4a6144ff12c6ac4b29968dda13eda406011 (patch) | |
| tree | 5f544f5e7819e20772120d6a045496f100d42f97 | |
| parent | d6d4f2a9b38cd7fa7e938142e49e5a514d612e52 (diff) | |
| download | php-git-d4dee4a6144ff12c6ac4b29968dda13eda406011.tar.gz | |
Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
(cherry picked from commit 3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8)
| -rw-r--r-- | Zend/tests/bug75573.phpt | 64 | ||||
| -rw-r--r-- | Zend/zend_object_handlers.c | 2 |
2 files changed, 65 insertions, 1 deletions
diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt new file mode 100644 index 0000000000..476ff6e6cf --- /dev/null +++ b/Zend/tests/bug75573.phpt @@ -0,0 +1,64 @@ +--TEST-- +Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26) +--FILE-- +<?php + +class A +{ + var $_stdObject; + function initialize($properties = FALSE) { + $this->_stdObject = $properties ? (object) $properties : new stdClass(); + parent::initialize(); + } + function &__get($property) + { + if (isset($this->_stdObject->{$property})) { + $retval =& $this->_stdObject->{$property}; + return $retval; + } else { + return NULL; + } + } + function &__set($property, $value) + { + return $this->_stdObject->{$property} = $value; + } + function __isset($property_name) + { + return isset($this->_stdObject->{$property_name}); + } +} + +class B extends A +{ + function initialize($properties = array()) + { + parent::initialize($properties); + } + function &__get($property) + { + if (isset($this->settings) && isset($this->settings[$property])) { + $retval =& $this->settings[$property]; + return $retval; + } else { + return parent::__get($property); + } + } +} + +$b = new B(); +$b->settings = [ "foo" => "bar", "name" => "abc" ]; +var_dump($b->name); +var_dump($b->settings); +?> +--EXPECTF-- +Warning: Creating default object from empty value in %sbug75573.php on line %d + +Notice: Only variable references should be returned by reference in %sbug75573.php on line %d +string(3) "abc" +array(2) { + ["foo"]=> + string(3) "bar" + ["name"]=> + string(3) "abc" +} diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 3b86a1a6eb..54f093ae10 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -602,13 +602,13 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ zval_ptr_dtor(&tmp_object); goto exit; } else { - zval_ptr_dtor(&tmp_object); if (Z_STRVAL_P(member)[0] == '\0') { if (Z_STRLEN_P(member) == 0) { zend_throw_error(NULL, "Cannot access empty property"); retval = &EG(uninitialized_zval); goto exit; } else { + zval_ptr_dtor(&tmp_object); zend_throw_error(NULL, "Cannot access property started with '\\0'"); retval = &EG(uninitialized_zval); goto exit; |