Fixed bug #70182 (Segfault in ZEND_ASSIGN_OP handlers)

3 files changed, 16 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index ee77efb198..2814b889a8 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ PHP                                                                        NEWS
   . Fixed bug #69896 ('asm' operand has impossible constraints). (Anatol)
   . Fixed bug #70183 (null pointer deref (segfault) in zend_eval_const_expr).
     (Hugh Davenport)
+  . Fixed bug #70182 (Segfault in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER). (Bob)
 
 - Curl:
   . Fixed bug #70163 (curl_setopt_array() type confusion). (Laruence)
diff --git a/Zend/tests/bug70182.phpt b/Zend/tests/bug70182.phpt
new file mode 100644
index 0000000000..0b8111d3ee
--- /dev/null
+++ b/Zend/tests/bug70182.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #70182 ($string[] assignment with +=)
+--FILE--
+<?php
+
+$str = "abc";
+$str[] += $str;
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: [] operator not supported for strings in %sbug70182.php:%d
+Stack trace:
+#0 {main}
+  thrown in %sbug70182.php on line %d
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 065809f1a6..3009ddfcff 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1687,7 +1687,7 @@ convert_to_array:
 
 		if (dim == NULL) {
 			zend_throw_error(NULL, "[] operator not supported for strings");
-			ZVAL_NULL(result);
+			ZVAL_INDIRECT(result, &EG(error_zval));
 		} else {
 			zend_check_string_offset(dim, type);
 			ZVAL_INDIRECT(result, NULL); /* wrong string offset */