diff options
author | Dmitry Stogov <dmitry@php.net> | 2006-10-30 11:05:00 +0000 |
---|---|---|
committer | Dmitry Stogov <dmitry@php.net> | 2006-10-30 11:05:00 +0000 |
commit | 7ff822ee49095d2e96d2757beb2bf827fce9feb6 (patch) | |
tree | f414550f4620b53d8b43d87c19f70c9b4923a687 | |
parent | 94b24ef2dd1d5b66064c119e96dd462983120431 (diff) | |
download | php-git-7ff822ee49095d2e96d2757beb2bf827fce9feb6.tar.gz |
Fixed bug #39304 (Segmentation fault with list unpacking of string offset)
-rw-r--r-- | NEWS | 3 | ||||
-rwxr-xr-x | Zend/tests/bug39304.phpt | 9 | ||||
-rw-r--r-- | Zend/zend_vm_def.h | 4 | ||||
-rw-r--r-- | Zend/zend_vm_execute.h | 32 |
4 files changed, 39 insertions, 9 deletions
@@ -1,8 +1,11 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| 00 Oct 2006, PHP 5.2.0RC7 +- Fixed bug #39304 (Segmentation fault with list unpacking of string offset). + (Dmitry) - Fixed bug #39192 (Not including nsapi.h properly with SJSWS 7). This will make PHP 5.2 compatible to new Sun Webserver. (Uwe) + 19 Oct 2006, PHP 5.2.0RC6 - Fixed invalid read in imagecreatefrompng when an empty file is given (Pierre, Tony) diff --git a/Zend/tests/bug39304.phpt b/Zend/tests/bug39304.phpt new file mode 100755 index 0000000000..9e4416c969 --- /dev/null +++ b/Zend/tests/bug39304.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #39304 (Segmentation fault with list unpacking of string offset) +--FILE-- +<?php + $s = ""; + list($a, $b) = $s[0]; +?> +--EXPECTF-- +Fatal error: Cannot use string offset as an array in %sbug39304.php on line 3 diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index ef44ed108a..ba3b74ae6e 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1041,7 +1041,9 @@ ZEND_VM_HANDLER(81, ZEND_FETCH_DIM_R, VAR|CV, CONST|TMP|VAR|CV) zend_free_op free_op1, free_op2; zval *dim = GET_OP2_ZVAL_PTR(BP_VAR_R); - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && OP1_TYPE != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + OP1_TYPE != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), GET_OP1_ZVAL_PTR_PTR(BP_VAR_R), dim, IS_OP2_TMP_FREE(), BP_VAR_R TSRMLS_CC); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index f23e6ab835..19ecb88300 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -8855,7 +8855,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_free_op free_op1; zval *dim = &opline->op2.u.constant; - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_VAR != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC); @@ -10338,7 +10340,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_free_op free_op1, free_op2; zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC); - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_VAR != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC); @@ -11824,7 +11828,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_free_op free_op1, free_op2; zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC); - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_VAR != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC); @@ -13782,7 +13788,9 @@ static int ZEND_FETCH_DIM_R_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_free_op free_op1; zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC); - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_VAR != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC); @@ -20749,7 +20757,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zval *dim = &opline->op2.u.constant; - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_CV != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC); @@ -22224,7 +22234,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_free_op free_op2; zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC); - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_CV != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC); @@ -23702,7 +23714,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zend_free_op free_op2; zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC); - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_CV != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC); @@ -25650,7 +25664,9 @@ static int ZEND_FETCH_DIM_R_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC); - if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) { + if (opline->extended_value == ZEND_FETCH_ADD_LOCK && + IS_CV != IS_CV && + EX_T(opline->op1.u.var).var.ptr_ptr) { PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); } zend_fetch_dimension_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC); |