summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Zend/tests/bug52237.phpt12
-rw-r--r--Zend/zend_vm_def.h7
-rw-r--r--Zend/zend_vm_execute.h14
3 files changed, 33 insertions, 0 deletions
diff --git a/Zend/tests/bug52237.phpt b/Zend/tests/bug52237.phpt
new file mode 100644
index 0000000000..0b54787aa9
--- /dev/null
+++ b/Zend/tests/bug52237.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #52237 (Crash when passing the reference of the property of a non-object)
+--FILE--
+<?php
+$data = 'test';
+preg_match('//', '', $data->info);
+var_dump($data);
+?>
+--EXPECTF--
+
+Warning: Attempt to modify property of non-object in %sbug52237.php on line 3
+string(4) "test"
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index e453216940..6f5e87a88c 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3078,6 +3078,13 @@ ZEND_VM_HANDLER(67, ZEND_SEND_REF, VAR|CV, ANY)
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
+ if (OP1_TYPE == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
ZEND_VM_DISPATCH_TO_HELPER(zend_send_by_var_helper);
}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 898ab3a2c0..ad62b6ec4a 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -10510,6 +10510,13 @@ static int ZEND_FASTCALL ZEND_SEND_REF_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARG
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
+ if (IS_VAR == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
return zend_send_by_var_helper_SPEC_VAR(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
}
@@ -26466,6 +26473,13 @@ static int ZEND_FASTCALL ZEND_SEND_REF_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS
zend_error_noreturn(E_ERROR, "Only variables can be passed by reference");
}
+ if (IS_CV == IS_VAR && UNEXPECTED(*varptr_ptr == &EG(error_zval))) {
+ Z_DELREF_PP(varptr_ptr);
+ ALLOC_ZVAL(*varptr_ptr);
+ INIT_ZVAL(**varptr_ptr);
+ Z_SET_REFCOUNT_PP(varptr_ptr, 0);
+ }
+
if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION && !ARG_SHOULD_BE_SENT_BY_REF(EX(fbc), opline->op2.opline_num)) {
return zend_send_by_var_helper_SPEC_CV(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
}
View Lorry Controller Status