Fixed bug #54265 (crash when variable gets reassigned in error handler)

2 files changed, 31 insertions, 2 deletions

diff --git a/Zend/tests/bug54265.phpt b/Zend/tests/bug54265.phpt
new file mode 100644
index 0000000000..43db028a2a
--- /dev/null
+++ b/Zend/tests/bug54265.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #54265 (crash when variable gets reassigned in error handler)
+--FILE--
+<?php
+function my_errorhandler($errno,$errormsg) {
+  global $my_var;
+  $my_var = 0;
+  echo "EROOR: $errormsg\n";
+}
+set_error_handler("my_errorhandler");
+$my_var = str_repeat("A",$my_var[0]->errormsg = "xyz");
+echo "ok\n";
+?>
+--EXPECT--
+EROOR: Creating default object from empty value
+ok
+
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 1792618607..83a3fff6b4 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -657,10 +657,22 @@ static inline void zend_assign_to_object(zval **retval, zval **object_ptr, zval
 		    (Z_TYPE_P(object) == IS_BOOL && Z_LVAL_P(object) == 0) ||
 		    (Z_TYPE_P(object) == IS_STRING && Z_STRLEN_P(object) == 0)) {
 			SEPARATE_ZVAL_IF_NOT_REF(object_ptr);
-			zval_dtor(*object_ptr);
-			object_init(*object_ptr);
 			object = *object_ptr;
+			Z_ADDREF_P(object);
 			zend_error(E_WARNING, "Creating default object from empty value");
+			if (Z_REFCOUNT_P(object) == 1) {
+				/* object was removed by error handler, nothing to assign to */
+				zval_ptr_dtor(&object);
+				if (retval) {
+					*retval = &EG(uninitialized_zval);
+					PZVAL_LOCK(*retval);
+				}
+				FREE_OP(free_value);
+				return;
+			}
+			Z_DELREF_P(object);
+			zval_dtor(object);
+			object_init(object);
 		} else {
 			zend_error(E_WARNING, "Attempt to assign property of non-object");
 			if (retval) {