diff options
| author | Moriyoshi Koizumi <moriyoshi@php.net> | 2005-01-11 21:53:11 +0000 |
|---|---|---|
| committer | Moriyoshi Koizumi <moriyoshi@php.net> | 2005-01-11 21:53:11 +0000 |
| commit | 9b77de63ed22281505ae74c3d66cebee49c83b24 (patch) | |
| tree | aac35ab47cf9585a4c01cf98c00ed8c874fdf9a8 | |
| parent | 87ddc9d06b8658338abfb23b4916bc24c6f85734 (diff) | |
| download | php-git-9b77de63ed22281505ae74c3d66cebee49c83b24.tar.gz | |
- Fix bug #31436 (isset() incorrectly returns true in dereference of a wrong type)
| -rw-r--r-- | Zend/tests/bug31436.phpt | 25 | ||||
| -rw-r--r-- | Zend/zend_vm_execute.h | 468 |
2 files changed, 272 insertions, 221 deletions
diff --git a/Zend/tests/bug31436.phpt b/Zend/tests/bug31436.phpt new file mode 100644 index 0000000000..28c8fe1554 --- /dev/null +++ b/Zend/tests/bug31436.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #31436 (isset incorrectly returning true when passed a bad type) +--FILE-- +<?php +$a = ''; +var_dump(isset($a->b)); +$a = 'a'; +var_dump(isset($a->b)); +$a = '0'; +var_dump(isset($a->b)); +$a = ''; +var_dump(isset($a{'b'})); +$a = 'a'; +var_dump(isset($a{'b'})); +$a = '0'; +var_dump(isset($a{'b'})); +?> +--EXPECTF-- +bool(false) +bool(false) +bool(false) +bool(false) +bool(true) +bool(true) + diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index f014e5609c..9c98ffe167 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -9013,23 +9013,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_VAR_CONST(int prop_dim, } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -10326,23 +10328,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_VAR_TMP(int prop_dim, ZE } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -11660,23 +11664,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_VAR_VAR(int prop_dim, ZE } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -13124,23 +13130,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_VAR_CV(int prop_dim, ZEN } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -14188,23 +14196,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_UNUSED_CONST(int prop_di } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -15135,23 +15145,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_UNUSED_TMP(int prop_dim, } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -16082,23 +16094,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_UNUSED_VAR(int prop_dim, } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -17148,23 +17162,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_UNUSED_CV(int prop_dim, } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -19631,23 +19647,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_CV_CONST(int prop_dim, Z } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -20944,23 +20962,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_CV_TMP(int prop_dim, ZEN } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -22278,23 +22298,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_CV_VAR(int prop_dim, ZEN } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -23742,23 +23764,25 @@ static int zend_isset_isempty_dim_prop_obj_handler_SPEC_CV_CV(int prop_dim, ZEND } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } @@ -30806,23 +30830,25 @@ static int zend_isset_isempty_dim_prop_obj_handler(int prop_dim, ZEND_OPCODE_HAN } else if ((*container)->type == IS_STRING) { /* string offsets */ zval tmp_offset; - if (Z_TYPE_P(offset) != IS_LONG) { - tmp_offset = *offset; - zval_copy_ctor(&tmp_offset); - convert_to_long(&tmp_offset); - offset = &tmp_offset; - } - switch (opline->extended_value) { - case ZEND_ISSET: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { - result = 1; - } - break; - case ZEND_ISEMPTY: - if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { - result = 1; - } - break; + if (!prop_dim) { + if (Z_TYPE_P(offset) != IS_LONG) { + tmp_offset = *offset; + zval_copy_ctor(&tmp_offset); + convert_to_long(&tmp_offset); + offset = &tmp_offset; + } + switch (opline->extended_value) { + case ZEND_ISSET: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) { + result = 1; + } + break; + case ZEND_ISEMPTY: + if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') { + result = 1; + } + break; + } } } } |