diff options
| author | Nikita Popov <nikic@php.net> | 2015-07-06 20:12:07 +0200 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2015-07-06 20:15:45 +0200 |
| commit | 89ce8d28dee671eead485077bc97c2b800790d68 (patch) | |
| tree | f80d20cf5a4f9e8c9a3c43c3fad0a6b6554ab173 | |
| parent | f3498783df59e08c4c5bec4789b45d55a2a2c425 (diff) | |
| download | php-git-89ce8d28dee671eead485077bc97c2b800790d68.tar.gz | |
Fix crash when exception is thrown during ROPE_END
The CHECK_EXCEPTION() was done at a point where the old opline is
still used, thus redirecting the write to the result var into
EX(call) instead.
Handling the exception in-place to avoid leaking result.
| -rw-r--r-- | Zend/tests/exception_in_rope_end.phpt | 17 | ||||
| -rw-r--r-- | Zend/zend_vm_def.h | 7 | ||||
| -rw-r--r-- | Zend/zend_vm_execute.h | 21 |
3 files changed, 41 insertions, 4 deletions
diff --git a/Zend/tests/exception_in_rope_end.phpt b/Zend/tests/exception_in_rope_end.phpt new file mode 100644 index 0000000000..3e6402c60f --- /dev/null +++ b/Zend/tests/exception_in_rope_end.phpt @@ -0,0 +1,17 @@ +--TEST-- +Exception during rope finalization +--FILE-- +<?php + +set_error_handler(function() { throw new Exception; }); + +try { + $b = "foo"; + $str = "y$b$a"; +} catch (Exception $e) { + echo "Exception\n"; +} + +?> +--EXPECT-- +Exception diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index fb86a8d42a..7bfec961cb 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -2859,7 +2859,12 @@ ZEND_VM_HANDLER(56, ZEND_ROPE_END, TMP, CONST|TMPVAR|CV) } rope[opline->extended_value] = _zval_get_string_func(var); FREE_OP2(); - CHECK_EXCEPTION(); + if (UNEXPECTED(EG(exception))) { + for (i = 0; i <= opline->extended_value; i++) { + zend_string_release(rope[i]); + } + HANDLE_EXCEPTION(); + } } } for (i = 0; i <= opline->extended_value; i++) { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index a948964e91..eebfc0f1e7 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -12999,7 +12999,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ROPE_END_SPEC_TMP_CONST_HANDLE } rope[opline->extended_value] = _zval_get_string_func(var); - CHECK_EXCEPTION(); + if (UNEXPECTED(EG(exception))) { + for (i = 0; i <= opline->extended_value; i++) { + zend_string_release(rope[i]); + } + HANDLE_EXCEPTION(); + } } } for (i = 0; i <= opline->extended_value; i++) { @@ -14283,7 +14288,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ROPE_END_SPEC_TMP_CV_HANDLER(Z } rope[opline->extended_value] = _zval_get_string_func(var); - CHECK_EXCEPTION(); + if (UNEXPECTED(EG(exception))) { + for (i = 0; i <= opline->extended_value; i++) { + zend_string_release(rope[i]); + } + HANDLE_EXCEPTION(); + } } } for (i = 0; i <= opline->extended_value; i++) { @@ -14796,7 +14806,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ROPE_END_SPEC_TMP_TMPVAR_HANDL } rope[opline->extended_value] = _zval_get_string_func(var); zval_ptr_dtor_nogc(free_op2); - CHECK_EXCEPTION(); + if (UNEXPECTED(EG(exception))) { + for (i = 0; i <= opline->extended_value; i++) { + zend_string_release(rope[i]); + } + HANDLE_EXCEPTION(); + } } } for (i = 0; i <= opline->extended_value; i++) { |