diff options
-rw-r--r-- | NEWS | 19 | ||||
-rw-r--r-- | Zend/tests/bug72907.phpt | 18 | ||||
-rw-r--r-- | Zend/zend_execute.c | 4 | ||||
-rw-r--r-- | Zend/zend_vm_def.h | 13 | ||||
-rw-r--r-- | Zend/zend_vm_execute.h | 52 |
5 files changed, 66 insertions, 40 deletions
@@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2016, PHP 5.6.26 +- Core: + . Fixed bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer + (zend_gc.c:260)). (Laruence) + - Streams: . Fixed bug #72853 (stream_set_blocking doesn't work). (Laruence) @@ -9,22 +13,12 @@ PHP NEWS . Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse). (Benedict Singer) -- IMAP: - . Fixed bug #72852 (imap_mail null dereference). (Anatol) - -- Intl: - . Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF - sequence). (cmb) - - JSON: . Fixed bug #72787 (json_decode reads out of bounds). (Jakub Zelenka) - MSSQL: . Fixed bug #72039 (Use of uninitialised value on mssql_guid_string). (Kalle) -- OCI8: - . Fixed invalid handle error with Implicit Result Sets. (Chris Jones) - - PDO: . Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false). (cmb) @@ -40,7 +34,6 @@ PHP NEWS - XML: . Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb) - . Fixed bug #72714 (_xml_startElementHandler() segmentation fault). (cmb) - ZIP: . Fixed bug #68302 (impossible to compile php with zip support). (cmb) @@ -124,6 +117,9 @@ PHP NEWS . Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error). (ju1ius) +- OCI8: + . Fixed invalid handle error with Implicit Result Sets. (Chris Jones) + - PCRE: . Fixed bug #72688 (preg_match missing group names in matches). (cmb) @@ -145,7 +141,6 @@ PHP NEWS . Fixed bug #72848 (integer overflow in quoted_printable_encode). (Stas) . Fixed bug #72849 (integer overflow in urlencode). (Stas) . Fixed bug #72850 (integer overflow in php_uuencode). (Stas) - . Fixed bug #72716 (initialize buffer before read). (Stas) - Streams: . Fixed bug #41021 (Problems with the ftps wrapper). (vhuk) diff --git a/Zend/tests/bug72907.phpt b/Zend/tests/bug72907.phpt new file mode 100644 index 0000000000..00d9f5d183 --- /dev/null +++ b/Zend/tests/bug72907.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260)) +--FILE-- +<?php + +$a = 0; + +($a->a = &$E) + ($b = $a->b->i -= 0); + +?> +--EXPECTF-- +Warning: Attempt to modify property of non-object in %sbug72907.php on line %d + +Warning: Attempt to modify property of non-object in %sbug72907.php on line %d + +Warning: Creating default object from empty value in %sbug72907.php on line %d + +Notice: Undefined property: stdClass::$i in %sbug72907.php on line %d diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index c7e4b926d8..b422624bb1 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -522,9 +522,7 @@ static void zend_assign_to_variable_reference(zval **variable_ptr_ptr, zval **va zval *variable_ptr = *variable_ptr_ptr; zval *value_ptr = *value_ptr_ptr; - if (variable_ptr == &EG(error_zval) || value_ptr == &EG(error_zval)) { - variable_ptr_ptr = &EG(uninitialized_zval_ptr); - } else if (variable_ptr != value_ptr) { + if (variable_ptr != value_ptr) { if (!PZVAL_IS_REF(value_ptr)) { /* break it away */ Z_DELREF_P(value_ptr); diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 2e81f82e49..f79d8a3f9e 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1817,11 +1817,14 @@ ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV) if ((OP2_TYPE == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || (OP1_TYPE == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); - } - zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); - - if (OP2_TYPE == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { - Z_DELREF_PP(variable_ptr_ptr); + } else if ((OP2_TYPE == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) || + (OP1_TYPE == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) { + variable_ptr_ptr = &EG(uninitialized_zval_ptr); + } else { + zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); + if (OP2_TYPE == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { + Z_DELREF_PP(variable_ptr_ptr); + } } if (RETURN_VALUE_USED(opline)) { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index df47bea982..a31027ee92 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -20408,11 +20408,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDL if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || (IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); - } - zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); - - if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { - Z_DELREF_PP(variable_ptr_ptr); + } else if ((IS_VAR == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) || + (IS_VAR == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) { + variable_ptr_ptr = &EG(uninitialized_zval_ptr); + } else { + zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); + if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { + Z_DELREF_PP(variable_ptr_ptr); + } } if (RETURN_VALUE_USED(opline)) { @@ -23903,11 +23906,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLE if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || (IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); - } - zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); - - if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { - Z_DELREF_PP(variable_ptr_ptr); + } else if ((IS_CV == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) || + (IS_VAR == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) { + variable_ptr_ptr = &EG(uninitialized_zval_ptr); + } else { + zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); + if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { + Z_DELREF_PP(variable_ptr_ptr); + } } if (RETURN_VALUE_USED(opline)) { @@ -37721,11 +37727,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLE if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || (IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); - } - zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); - - if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { - Z_DELREF_PP(variable_ptr_ptr); + } else if ((IS_VAR == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) || + (IS_CV == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) { + variable_ptr_ptr = &EG(uninitialized_zval_ptr); + } else { + zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); + if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { + Z_DELREF_PP(variable_ptr_ptr); + } } if (RETURN_VALUE_USED(opline)) { @@ -40929,11 +40938,14 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || (IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) { zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects"); - } - zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); - - if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { - Z_DELREF_PP(variable_ptr_ptr); + } else if ((IS_CV == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) || + (IS_CV == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) { + variable_ptr_ptr = &EG(uninitialized_zval_ptr); + } else { + zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC); + if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { + Z_DELREF_PP(variable_ptr_ptr); + } } if (RETURN_VALUE_USED(opline)) { |