Fixed dereferencing of value returned from function (foo()[1] = ...)

2026-04-22 07:28:09 +02:00 · 2014-03-04 17:23:23 +04:00
parent ba30f1e946
commit 38151a38ec
4 changed files with 288 additions and 299 deletions
@@ -774,9 +774,7 @@ END_EXTERN_C()
 	} while (0)

 #define READY_TO_DESTROY(zv) \
-	(Z_REFCOUNT_P(zv) == 1 && \
-	 (Z_TYPE_P(zv) != IS_OBJECT || \
-	  zend_objects_store_get_refcount(zv TSRMLS_CC) == 1))
+	(Z_REFCOUNTED_P(zv) && Z_REFCOUNT_P(zv) == 1)

 #define ZEND_MAX_RESERVED_RESOURCES	4

@@ -113,20 +113,11 @@ static zend_always_inline void zend_pzval_unlock_free_func(zval *z TSRMLS_DC)
 #define PZVAL_LOCK(z) if (Z_REFCOUNTED_P(z)) Z_ADDREF_P((z))
 #define SELECTIVE_PZVAL_LOCK(pzv, opline)	if (RETURN_VALUE_USED(opline)) { PZVAL_LOCK(pzv); }

-#define EXTRACT_ZVAL_PTR(t) do {				\
-		temp_variable *__t = (t);				\
-		__t->var.ptr = *__t->var.ptr_ptr;		\
-		__t->var.ptr_ptr = &__t->var.ptr;		\
-		if (!PZVAL_IS_REF(__t->var.ptr) && 		\
-		    Z_REFCOUNT_P(__t->var.ptr) > 2) {	\
-			SEPARATE_ZVAL(__t->var.ptr_ptr);	\
-		}										\
-	} while (0)
-
-#define AI_SET_PTR(t, val) do {				\
-		temp_variable *__t = (t);			\
-		__t->var.ptr = (val);				\
-		__t->var.ptr_ptr = &__t->var.ptr;	\
+#define EXTRACT_ZVAL_PTR(zv) do {						\
+		zval *__zv = (zv);								\
+		if (Z_TYPE_P(__zv) == IS_INDIRECT) {			\
+			ZVAL_COPY_VALUE(__zv, Z_INDIRECT_P(__zv));	\
+		}												\
 	} while (0)

 #define FREE_OP(should_free) \
@@ -1188,9 +1188,9 @@ ZEND_VM_HANDLER(84, ZEND_FETCH_DIM_W, VAR|CV, CONST|TMP|VAR|UNUSED|CV)
 	}
 	zend_fetch_dimension_address(EX_VAR(opline->result.var), container, GET_OP2_ZVAL_PTR(BP_VAR_R), OP2_TYPE, BP_VAR_W TSRMLS_CC);
 	FREE_OP2();
-//???	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???		EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
-//???	}
+	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+		EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+	}

 	FREE_OP1_VAR_PTR();

@@ -1230,9 +1230,9 @@ ZEND_VM_HANDLER(87, ZEND_FETCH_DIM_RW, VAR|CV, CONST|TMP|VAR|UNUSED|CV)
 	}
 	zend_fetch_dimension_address(EX_VAR(opline->result.var), container, GET_OP2_ZVAL_PTR(BP_VAR_R), OP2_TYPE, BP_VAR_RW TSRMLS_CC);
 	FREE_OP2();
-//???	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???		EXTRACT_ZVAL_PTR(&EX_T(opline->result.var));
-//???	}
+	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+		EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+	}
 	FREE_OP1_VAR_PTR();
 	CHECK_EXCEPTION();
 	ZEND_VM_NEXT_OPCODE();
@@ -1267,9 +1267,9 @@ ZEND_VM_HANDLER(93, ZEND_FETCH_DIM_FUNC_ARG, VAR|CV, CONST|TMP|VAR|UNUSED|CV)
 			zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
 		}
 		zend_fetch_dimension_address(EX_VAR(opline->result.var), container, GET_OP2_ZVAL_PTR(BP_VAR_R), OP2_TYPE, BP_VAR_W TSRMLS_CC);
-//???		if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???			EXTRACT_ZVAL_PTR(&EX_T(opline->result.var));
-//???		}
+		if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+			EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+		}
 		FREE_OP2();
 		FREE_OP1_VAR_PTR();
 	} else {
@@ -1302,9 +1302,9 @@ ZEND_VM_HANDLER(96, ZEND_FETCH_DIM_UNSET, VAR|CV, CONST|TMP|VAR|CV)
 	}
 	zend_fetch_dimension_address(EX_VAR(opline->result.var), container, GET_OP2_ZVAL_PTR(BP_VAR_R), OP2_TYPE, BP_VAR_UNSET TSRMLS_CC);
 	FREE_OP2();
-//???	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???		EXTRACT_ZVAL_PTR(&EX_T(opline->result.var));
-//???	}
+	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+		EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+	}
 	FREE_OP1_VAR_PTR();
 	if (UNEXPECTED(Z_TYPE_P(EX_VAR(opline->result.var)) == IS_STR_OFFSET)) {
 		zend_error_noreturn(E_ERROR, "Cannot unset string offsets");
@@ -1402,9 +1402,9 @@ ZEND_VM_HANDLER(85, ZEND_FETCH_OBJ_W, VAR|UNUSED|CV, CONST|TMP|VAR|CV)
 		FREE_OP2();
 //???	}

-//???	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???		EXTRACT_ZVAL_PTR(&EX_T(opline->result.var));
-//???	}
+	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+		EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+	}
 	FREE_OP1_VAR_PTR();

 	/* We are going to assign the result by reference */
@@ -1453,9 +1453,9 @@ ZEND_VM_HANDLER(88, ZEND_FETCH_OBJ_RW, VAR|UNUSED|CV, CONST|TMP|VAR|CV)
 		FREE_OP2();
 //???	}

-//???	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???		EXTRACT_ZVAL_PTR(&EX_T(opline->result.var));
-//???	}
+	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+		EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+	}
 	FREE_OP1_VAR_PTR();
 	CHECK_EXCEPTION();
 	ZEND_VM_NEXT_OPCODE();
@@ -1530,9 +1530,9 @@ ZEND_VM_HANDLER(94, ZEND_FETCH_OBJ_FUNC_ARG, VAR|UNUSED|CV, CONST|TMP|VAR|CV)
 			FREE_OP2();
 //???		}

-//???		if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???			EXTRACT_ZVAL_PTR(&EX_T(opline->result.var));
-//???		}
+		if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+			EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+		}
 		FREE_OP1_VAR_PTR();
 		CHECK_EXCEPTION();
 		ZEND_VM_NEXT_OPCODE();
@@ -1567,9 +1567,9 @@ ZEND_VM_HANDLER(97, ZEND_FETCH_OBJ_UNSET, VAR|UNUSED|CV, CONST|TMP|VAR|CV)
 		FREE_OP2();
 //???	}

-//???	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
-//???		EXTRACT_ZVAL_PTR(&EX_T(opline->result.var));
-//???	}
+	if (OP1_TYPE == IS_VAR && OP1_FREE && READY_TO_DESTROY(free_op1.var)) {
+		EXTRACT_ZVAL_PTR(EX_VAR(opline->result.var));
+	}
 	FREE_OP1_VAR_PTR();

 	retval_ptr = EX_VAR(opline->result.var);