diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug70782.phpt | 10 | ||||
| -rw-r--r-- | Zend/zend_compile.c | 11 |
3 files changed, 21 insertions, 2 deletions
@@ -7,6 +7,8 @@ PHP NEWS (Laruence) . Fixed bug #70689 (Exception handler does not work as expected). (Laruence) . Fixed bug #70430 (Stack buffer overflow in zend_language_parser()). (Nikita) + . Fixed bug #70782 (null ptr deref and segfault (zend_get_class_fetch_type)). + (Nikita) - Opcache: . Fixed bug #70724 (Undefined Symbols from opcache.so on Mac OS X 10.10). diff --git a/Zend/tests/bug70782.phpt b/Zend/tests/bug70782.phpt new file mode 100644 index 0000000000..bbe63ffec2 --- /dev/null +++ b/Zend/tests/bug70782.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #70782: null ptr deref and segfault (zend_get_class_fetch_type) +--FILE-- +<?php + +(-0)::$prop; + +?> +--EXPECTF-- +Fatal error: Illegal class name in %s on line %d diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 26655ad795..c3e9384556 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -2126,8 +2126,15 @@ static zend_op *zend_compile_class_ref(znode *result, zend_ast *name_ast, int th zend_compile_expr(&name_node, name_ast); if (name_node.op_type == IS_CONST) { - zend_string *name = Z_STR(name_node.u.constant); - uint32_t fetch_type = zend_get_class_fetch_type(name); + zend_string *name; + uint32_t fetch_type; + + if (Z_TYPE(name_node.u.constant) != IS_STRING) { + zend_error_noreturn(E_COMPILE_ERROR, "Illegal class name"); + } + + name = Z_STR(name_node.u.constant); + fetch_type = zend_get_class_fetch_type(name); opline = zend_emit_op(result, ZEND_FETCH_CLASS, NULL, NULL); opline->extended_value = fetch_type | (throw_exception ? ZEND_FETCH_CLASS_EXCEPTION : 0); |