Fix out-of-bounds read in array compilation

UNPACK elements only have one child. Don't access the second one
until we have excluded this case.

1 files changed, 5 insertions, 3 deletions

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index fc6dcf5bb7..6682d2b454 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -7032,7 +7032,7 @@ static zend_bool zend_try_ct_eval_array(zval *result, zend_ast *ast) /* {{{ */
 	for (i = 0; i < list->children; ++i) {
 		zend_ast *elem_ast = list->child[i];
 		zend_ast *value_ast = elem_ast->child[0];
-		zend_ast *key_ast = elem_ast->child[1];
+		zend_ast *key_ast;
 
 		zval *value = zend_ast_get_zval(value_ast);
 		if (elem_ast->kind == ZEND_AST_UNPACK) {
@@ -7060,6 +7060,7 @@ static zend_bool zend_try_ct_eval_array(zval *result, zend_ast *ast) /* {{{ */
 		
 		Z_TRY_ADDREF_P(value);
 
+		key_ast = elem_ast->child[1];
 		if (key_ast) {
 			zval *key = zend_ast_get_zval(key_ast);
 			switch (Z_TYPE_P(key)) {
@@ -7823,8 +7824,6 @@ void zend_compile_array(znode *result, zend_ast *ast) /* {{{ */
 		}
 
 		value_ast = elem_ast->child[0];
-		key_ast = elem_ast->child[1];
-		by_ref = elem_ast->attr;
 
 		if (elem_ast->kind == ZEND_AST_UNPACK) {
 			zend_compile_expr(&value_node, value_ast);
@@ -7836,6 +7835,9 @@ void zend_compile_array(znode *result, zend_ast *ast) /* {{{ */
 			continue;
 		}
 
+		key_ast = elem_ast->child[1];
+		by_ref = elem_ast->attr;
+
 		if (key_ast) {
 			zend_compile_expr(&key_node, key_ast);
 			zend_handle_numeric_op(&key_node);