diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug70124.phpt | 47 | ||||
| -rw-r--r-- | Zend/zend_execute.c | 9 |
3 files changed, 58 insertions, 0 deletions
@@ -3,6 +3,8 @@ PHP NEWS 06 Aug 2015, PHP 7.0.0 Beta 3 - Core: + . Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION). + (Laruence) . Fixed bug #70117 (Unexpected return type error). (Laruence) . Fixed bug #70106 (Inheritance by anonymous class). (Bob) diff --git a/Zend/tests/bug70124.phpt b/Zend/tests/bug70124.phpt new file mode 100644 index 0000000000..3138430b8f --- /dev/null +++ b/Zend/tests/bug70124.phpt @@ -0,0 +1,47 @@ +--TEST-- +Bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER) +--FILE-- +<?php + +try { + echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),$f("test"))],chr(48)); +} catch (Error $e) { + var_dump($e->getMessage()); +} + +class A { +} + +try { + echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),a::y("test"))],chr(48)); +} catch (Error $e) { + var_dump($e->getMessage()); +} + +$a = new A; + +try { + echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),$a->y("test"))],chr(48)); +} catch (Error $e) { + var_dump($e->getMessage()); +} + +try { + echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),\bar\y("test"))],chr(48)); +} catch (Error $e) { + var_dump($e->getMessage()); +} + +try { + echo base_convert([array_search(chr(48),chr(48),chr(48),chr(48),chr(48),y("test"))],chr(48)); +} catch (Error $e) { + var_dump($e->getMessage()); +} +?> +--EXPECTF-- +Notice: Undefined variable: f in %sbug70124.php on line %d +string(30) "Function name must be a string" +string(31) "Call to undefined method A::y()" +string(31) "Call to undefined method A::y()" +string(34) "Call to undefined function bar\y()" +string(30) "Call to undefined function y()" diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 2d1bd5e3d0..065809f1a6 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -2395,6 +2395,15 @@ static zend_always_inline void i_cleanup_unfinished_execution(zend_execute_data zend_op *opline = EX(func)->op_array.opcodes + op_num; int level; int do_exit; + + if (UNEXPECTED(opline->opcode == ZEND_INIT_FCALL || + opline->opcode == ZEND_INIT_FCALL_BY_NAME || + opline->opcode == ZEND_INIT_DYNAMIC_CALL || + opline->opcode == ZEND_INIT_METHOD_CALL || + opline->opcode == ZEND_INIT_STATIC_METHOD_CALL)) { + ZEND_ASSERT(op_num); + opline--; + } do { /* If the exception was thrown during a function call there might be |