diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2020-07-07 09:55:28 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-07-07 09:56:14 +0200 |
commit | 971e5c5186a2a2339b0dbad4f2a057a9deed5aa2 (patch) | |
tree | 366cc9ef7b8d26080acfc8b2af269020260740aa | |
parent | a58d865f65acba6b876a6ed1960aaa7b28685e34 (diff) | |
download | php-git-971e5c5186a2a2339b0dbad4f2a057a9deed5aa2.tar.gz |
Fixed bug #79783
Make sure we don't drop the by-reference check when passing the
result of a VM builtin function.
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | Zend/tests/bug79783.phpt | 11 | ||||
-rw-r--r-- | Zend/zend_compile.c | 6 |
3 files changed, 17 insertions, 1 deletions
@@ -12,6 +12,7 @@ PHP NEWS - Core: . Fixed bug #79740 (serialize() and unserialize() methods can not be called statically). (Nikita) + . Fixede bug #79783 (Segfault in php_str_replace_common). (Nikita) - Fileinfo: . Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb) diff --git a/Zend/tests/bug79783.phpt b/Zend/tests/bug79783.phpt new file mode 100644 index 0000000000..959e90b06d --- /dev/null +++ b/Zend/tests/bug79783.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #79783: Segfault in php_str_replace_common +--FILE-- +<?php +str_replace("a", "b", "c", strlen("d")); +?> +--EXPECTF-- +Fatal error: Uncaught Error: Cannot pass parameter 4 by reference in %s:%d +Stack trace: +#0 {main} + thrown in %s on line %d diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 8b36a0940e..10ea65f89d 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -3009,7 +3009,11 @@ uint32_t zend_compile_args(zend_ast *ast, zend_function *fbc) /* {{{ */ zend_compile_var(&arg_node, arg, BP_VAR_R, 0); if (arg_node.op_type & (IS_CONST|IS_TMP_VAR)) { /* Function call was converted into builtin instruction */ - opcode = ZEND_SEND_VAL; + if (!fbc || ARG_MUST_BE_SENT_BY_REF(fbc, arg_num)) { + opcode = ZEND_SEND_VAL_EX; + } else { + opcode = ZEND_SEND_VAL; + } } else { if (fbc) { if (ARG_MUST_BE_SENT_BY_REF(fbc, arg_num)) { |