summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Zend/tests/bug75241.phpt13
-rw-r--r--Zend/zend_operators.c4
-rw-r--r--ext/spl/spl_dllist.c2
3 files changed, 17 insertions, 2 deletions
diff --git a/Zend/tests/bug75241.phpt b/Zend/tests/bug75241.phpt
new file mode 100644
index 0000000000..1751bbee76
--- /dev/null
+++ b/Zend/tests/bug75241.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #75241 (Null pointer dereference in zend_mm_alloc_small())
+--FILE--
+<?php
+function eh(){}
+
+set_error_handler('eh');
+
+$d->d = &$d + $d->d/=0;
+var_dump($d);
+?>
+--EXPECT--
+float(INF)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index ffc4dcc9a2..2054bbcee7 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -225,8 +225,10 @@ ZEND_API void ZEND_FASTCALL convert_scalar_to_number(zval *op) /* {{{ */
if (Z_TYPE(holder) == IS_LONG) { \
if (op == result) { \
zval_ptr_dtor(op); \
+ ZVAL_LONG(op, Z_LVAL(holder)); \
+ } else { \
+ (op) = &(holder); \
} \
- (op) = &(holder); \
} \
break; \
} \
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 52138561bc..c7ac6cecd0 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -733,7 +733,7 @@ SPL_METHOD(SplDoublyLinkedList, setIteratorMode)
return;
}
- intern->flags = value & SPL_DLLIST_IT_MASK | intern->flags & SPL_DLLIST_IT_FIX;
+ intern->flags = (value & SPL_DLLIST_IT_MASK) | (intern->flags & SPL_DLLIST_IT_FIX);
RETURN_LONG(intern->flags);
}
View Lorry Controller Status