diff options
| author | Xinchen Hui <laruence@gmail.com> | 2017-02-25 12:00:42 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2017-02-25 12:00:42 +0800 |
| commit | 36fcc4cb5d92dabc8c8f6f0587c81093bcac878c (patch) | |
| tree | 4272c27d04466c3035937489a3c4ba32ed2d735d /Zend | |
| parent | d1f36d6d8ebd76b2d1014a1fcccdf75baa70cdb0 (diff) | |
| download | php-git-36fcc4cb5d92dabc8c8f6f0587c81093bcac878c.tar.gz | |
Fixed bug #74164 (PHP hangs when an invalid value is dynamically passed to typehinted by-ref arg)
Diffstat (limited to 'Zend')
| -rw-r--r-- | Zend/tests/bug74164.phpt | 20 | ||||
| -rw-r--r-- | Zend/zend_execute_API.c | 18 |
2 files changed, 38 insertions, 0 deletions
diff --git a/Zend/tests/bug74164.phpt b/Zend/tests/bug74164.phpt new file mode 100644 index 0000000000..354b2f51e0 --- /dev/null +++ b/Zend/tests/bug74164.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #74164 (PHP hangs when an invalid value is dynamically passed to typehinted by-ref arg) +--FILE-- +<?php + +namespace Foo; + +set_error_handler(function ($type, $msg) { + throw new \Exception($msg); +}); + +call_user_func(function (array &$ref) {var_dump("xxx");}, 'not_an_array_variable'); +?> +--EXPECTF-- +Fatal error: Uncaught Exception: Parameter 1 to Foo\{closure}() expected to be a reference, value given in %sbug74164.php:%d +Stack trace: +#0 [internal function]: Foo\{closure}(%s) +#1 %sbug74164.php(%d): call_user_func(%s) +#2 {main} + thrown in %sbug74164.php on line %d diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c index e02198526f..9080ae59a0 100644 --- a/Zend/zend_execute_API.c +++ b/Zend/zend_execute_API.c @@ -761,6 +761,7 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache) / if (fci->object && (!EG(objects_store).object_buckets || !IS_OBJ_VALID(EG(objects_store).object_buckets[fci->object->handle]))) { + zend_vm_stack_free_call_frame(call); if (EG(current_execute_data) == &dummy_execute_data) { EG(current_execute_data) = dummy_execute_data.prev_execute_data; } @@ -770,6 +771,7 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache) / if (func->common.fn_flags & (ZEND_ACC_ABSTRACT|ZEND_ACC_DEPRECATED)) { if (func->common.fn_flags & ZEND_ACC_ABSTRACT) { zend_throw_error(NULL, "Cannot call abstract method %s::%s()", ZSTR_VAL(func->common.scope->name), ZSTR_VAL(func->common.function_name)); + zend_vm_stack_free_call_frame(call); if (EG(current_execute_data) == &dummy_execute_data) { EG(current_execute_data) = dummy_execute_data.prev_execute_data; } @@ -780,6 +782,13 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache) / func->common.scope ? ZSTR_VAL(func->common.scope->name) : "", func->common.scope ? "::" : "", ZSTR_VAL(func->common.function_name)); + if (UNEXPECTED(EG(exception))) { + zend_vm_stack_free_call_frame(call); + if (EG(current_execute_data) == &dummy_execute_data) { + EG(current_execute_data) = dummy_execute_data.prev_execute_data; + } + return FAILURE; + } } } @@ -800,6 +809,15 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache) / func->common.scope ? ZSTR_VAL(func->common.scope->name) : "", func->common.scope ? "::" : "", ZSTR_VAL(func->common.function_name)); + if (UNEXPECTED(EG(exception))) { + ZEND_CALL_NUM_ARGS(call) = i; + zend_vm_stack_free_args(call); + zend_vm_stack_free_call_frame(call); + if (EG(current_execute_data) == &dummy_execute_data) { + EG(current_execute_data) = dummy_execute_data.prev_execute_data; + } + return FAILURE; + } } } } else { |