1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
From 3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Wed, 29 Nov 2017 14:46:21 +0800
Subject: [PATCH] Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
---
NEWS | 1 +
Zend/tests/bug75573.phpt | 64 +++++++++++++++++++++++++++++++++++++++++++++
Zend/zend_object_handlers.c | 10 +++----
3 files changed, 69 insertions(+), 6 deletions(-)
create mode 100644 Zend/tests/bug75573.phpt
diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt
new file mode 100644
index 0000000..476ff6e
--- /dev/null
+++ b/Zend/tests/bug75573.phpt
@@ -0,0 +1,64 @@
+--TEST--
+Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
+--FILE--
+<?php
+
+class A
+{
+ var $_stdObject;
+ function initialize($properties = FALSE) {
+ $this->_stdObject = $properties ? (object) $properties : new stdClass();
+ parent::initialize();
+ }
+ function &__get($property)
+ {
+ if (isset($this->_stdObject->{$property})) {
+ $retval =& $this->_stdObject->{$property};
+ return $retval;
+ } else {
+ return NULL;
+ }
+ }
+ function &__set($property, $value)
+ {
+ return $this->_stdObject->{$property} = $value;
+ }
+ function __isset($property_name)
+ {
+ return isset($this->_stdObject->{$property_name});
+ }
+}
+
+class B extends A
+{
+ function initialize($properties = array())
+ {
+ parent::initialize($properties);
+ }
+ function &__get($property)
+ {
+ if (isset($this->settings) && isset($this->settings[$property])) {
+ $retval =& $this->settings[$property];
+ return $retval;
+ } else {
+ return parent::__get($property);
+ }
+ }
+}
+
+$b = new B();
+$b->settings = [ "foo" => "bar", "name" => "abc" ];
+var_dump($b->name);
+var_dump($b->settings);
+?>
+--EXPECTF--
+Warning: Creating default object from empty value in %sbug75573.php on line %d
+
+Notice: Only variable references should be returned by reference in %sbug75573.php on line %d
+string(3) "abc"
+array(2) {
+ ["foo"]=>
+ string(3) "bar"
+ ["name"]=>
+ string(3) "abc"
+}
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 10045b5..d9ebd84 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -668,13 +668,11 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
}
zval_ptr_dtor(&tmp_object);
goto exit;
- } else {
+ } else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
zval_ptr_dtor(&tmp_object);
- if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
- zend_throw_error(NULL, "Cannot access property started with '\\0'");
- retval = &EG(uninitialized_zval);
- goto exit;
- }
+ zend_throw_error(NULL, "Cannot access property started with '\\0'");
+ retval = &EG(uninitialized_zval);
+ goto exit;
}
}
--
2.1.4
|
