Fix bug #10287 - avoid crashing under a bogus usage of list()

Zend/zend_API.h

@@ -243,9 +243,12 @@ ZEND_API int zend_set_hash_symbol(zval *symbol, char *name, int name_length,
 
 #if ZEND_DEBUG
 #define CHECK_ZVAL_STRING(z) \
-if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s)",(z)->value.str.val);
+	if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s)", (z)->value.str.val);
+#define CHECK_ZVAL_STRING_REL(z) \
+	if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", (z)->value.str.val ZEND_FILE_LINE_RELAY_CC);
 #else
 #define CHECK_ZVAL_STRING(z)
+#define CHECK_ZVAL_STRING_REL(z)
 #endif
 
 #define ZVAL_RESOURCE(z,l) {			\
@@ -284,7 +287,6 @@ if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "Str
 		(z)->value.str.len = __l;	    \
 		(z)->value.str.val = (duplicate?estrndup(__s,__l):__s);	\
 		(z)->type = IS_STRING;		    \
-		CHECK_ZVAL_STRING(z); 			\
 	}
 
 #define ZVAL_EMPTY_STRING(z) {	        \

Zend/zend_compile.c

@@ -77,6 +77,7 @@ void zend_init_compiler_data_structures(CLS_D)
 	CG(active_ce_parent_class_name).value.str.val = NULL;
 	zend_llist_init(&CG(list_llist), sizeof(list_llist_element), NULL, 0);
 	zend_llist_init(&CG(dimension_llist), sizeof(int), NULL, 0);
+	zend_stack_init(&CG(list_stack));
 	CG(handle_op_arrays) = 1;
 	CG(in_compilation) = 0;
 	init_compiler_declarables(CLS_C);
@@ -101,6 +102,7 @@ void shutdown_compiler(CLS_D)
 	zend_stack_destroy(&CG(foreach_copy_stack));
 	zend_stack_destroy(&CG(object_stack));
 	zend_stack_destroy(&CG(declare_stack));
+	zend_stack_destroy(&CG(list_stack));
 	zend_hash_destroy(&CG(filenames_table));
 	zend_llist_destroy(&CG(open_files));
 }
@@ -1853,6 +1855,8 @@ void zend_do_new_list_end(CLS_D)
 
 void zend_do_list_init(CLS_D)
 {
+	zend_stack_push(&CG(list_stack), &CG(list_llist), sizeof(zend_llist));
+	zend_stack_push(&CG(list_stack), &CG(dimension_llist), sizeof(zend_llist));
 	zend_llist_init(&CG(list_llist), sizeof(list_llist_element), NULL, 0);
 	zend_llist_init(&CG(dimension_llist), sizeof(int), NULL, 0);
 	zend_do_new_list_begin(CLS_C);
@@ -1911,6 +1915,17 @@ void zend_do_list_end(znode *result, znode *expr CLS_DC)
 	zend_llist_destroy(&CG(dimension_llist));
 	zend_llist_destroy(&CG(list_llist));
 	*result = *expr;
+	{
+		zend_llist *p;
+
+		/* restore previous lists */
+		zend_stack_top(&CG(list_stack), (void **) &p);
+		CG(dimension_llist) = *p;
+		zend_stack_del_top(&CG(list_stack));
+		zend_stack_top(&CG(list_stack), (void **) &p);
+		CG(list_llist) = *p;
+		zend_stack_del_top(&CG(list_stack));
+	}
 }
 
 

Zend/zend_globals.h

@@ -78,6 +78,7 @@ struct _zend_compiler_globals {
 	/* variables for list() compilation */
 	zend_llist list_llist;
 	zend_llist dimension_llist;
+	zend_stack list_stack;
 
 	zend_stack function_call_stack;
 

Zend/zend_variables.c

@@ -40,7 +40,7 @@ ZEND_API void _zval_dtor(zval *zvalue ZEND_FILE_LINE_DC)
 	switch(zvalue->type) {
 		case IS_STRING:
 		case IS_CONSTANT:
-			CHECK_ZVAL_STRING(zvalue);
+			CHECK_ZVAL_STRING_REL(zvalue);
 			STR_FREE_REL(zvalue->value.str.val);
 			break;
 		case IS_ARRAY:
@@ -96,7 +96,7 @@ ZEND_API int _zval_copy_ctor(zval *zvalue ZEND_FILE_LINE_DC)
 					return SUCCESS;
 				}
 			}
-			CHECK_ZVAL_STRING(zvalue);
+			CHECK_ZVAL_STRING_REL(zvalue);
 			zvalue->value.str.val = (char *) estrndup_rel(zvalue->value.str.val, zvalue->value.str.len);
 			break;
 		case IS_ARRAY: