- Fixed bug #54265 (crash when variable gets reassigned in error handler)

(re-apply 309308, dmitry)

3 files changed, 36 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index d608bd35f4..691422f5fe 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2011, PHP 5.3.7
+
+- Zend Engine:
+  . Fixed bug #54262 (Crash when assigning value to a dimension in a non-array).
+    (Dmitry)
+
 - MySQL Improved extension:
   . Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries).
     (Andrey)
diff --git a/Zend/tests/bug54265.phpt b/Zend/tests/bug54265.phpt
new file mode 100644
index 0000000000..43db028a2a
--- /dev/null
+++ b/Zend/tests/bug54265.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54265 (crash when variable gets reassigned in error handler)
+--FILE--
+<?php
+function my_errorhandler($errno,$errormsg) {
+  global $my_var;
+  $my_var = 0;
+  echo "EROOR: $errormsg\n";
+}
+set_error_handler("my_errorhandler");
+$my_var = str_repeat("A",$my_var[0]->errormsg = "xyz");
+echo "ok\n";
+?>
+--EXPECT--
+EROOR: Creating default object from empty value
+ok
+
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index e270816d8b..f10fce38dc 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -536,10 +536,22 @@ static inline void zend_assign_to_object(znode *result, zval **object_ptr, zval
 		    (Z_TYPE_P(object) == IS_BOOL && Z_LVAL_P(object) == 0) ||
 		    (Z_TYPE_P(object) == IS_STRING && Z_STRLEN_P(object) == 0)) {
 			SEPARATE_ZVAL_IF_NOT_REF(object_ptr);
-			zval_dtor(*object_ptr);
-			object_init(*object_ptr);
 			object = *object_ptr;
+			Z_ADDREF_P(object);
 			zend_error(E_STRICT, "Creating default object from empty value");
+			if (Z_REFCOUNT_P(object) == 1) {
+				/* object was removed by error handler, nothing to assign to */
+				zval_ptr_dtor(&object);
+				if (retval) {
+					*retval = &EG(uninitialized_zval);
+					PZVAL_LOCK(*retval);
+				}
+				FREE_OP(free_value);
+				return;
+			}
+			Z_DELREF_P(object);
+			zval_dtor(object);
+			object_init(object);
 		} else {
 			zend_error(E_WARNING, "Attempt to assign property of non-object");
 			if (!RETURN_VALUE_UNUSED(result)) {