diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug75420.phpt | 15 | ||||
| -rw-r--r-- | Zend/zend_object_handlers.c | 7 |
3 files changed, 22 insertions, 2 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2017 PHP 7.0.26 - Core: + . Fixed bug #75420 (Crash when modifing property name in __isset for + BP_VAR_IS). (Laruence) . Fixed bug #75368 (mmap/munmap trashing on unlucky allocations). (Nikita, Dmitry) diff --git a/Zend/tests/bug75420.phpt b/Zend/tests/bug75420.phpt new file mode 100644 index 0000000000..890fbe5ad5 --- /dev/null +++ b/Zend/tests/bug75420.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #75420 (Crash when modifing property name in __isset for BP_VAR_IS) +--FILE-- +<?php + +class Test { + public function __isset($x) { $GLOBALS["name"] = 24; return true; } +public function __get($x) { var_dump($x); return 42; } +} + +$obj = new Test; +$name = "foo"; +var_dump($obj->$name ?? 12); +?> +--EXPECT-- diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 9ce9f1df1a..22455b9254 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -510,6 +510,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ zval tmp_member; zval *retval; uint32_t property_offset; + zend_long *guard = NULL; zobj = Z_OBJ_P(object); @@ -545,7 +546,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ /* magic isset */ if ((type == BP_VAR_IS) && zobj->ce->__isset) { zval tmp_object, tmp_result; - zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member)); + guard = zend_get_property_guard(zobj, Z_STR_P(member)); if (!((*guard) & IN_ISSET)) { ZVAL_COPY(&tmp_object, object); @@ -569,7 +570,9 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ /* magic get */ if (zobj->ce->__get) { - zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member)); + if (guard == NULL) { + guard = zend_get_property_guard(zobj, Z_STR_P(member)); + } if (!((*guard) & IN_GET)) { zval tmp_object; |