From 7fc8077e4caf1ac62e9591775f7779eb1a7c25ad Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Thu, 4 Apr 2013 13:40:21 +0800
Subject: [PATCH 1/4] Fixed Bug #64578

---
 Zend/zend_execute.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index de7cd4a4864..16dc08e5020 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -937,6 +937,10 @@ convert_to_array:
 					zend_error_noreturn(E_ERROR, "[] operator not supported for strings");
 				}
 
+				if (type != BP_VAR_UNSET) {
+					SEPARATE_ZVAL_IF_NOT_REF(container_ptr);
+				}
+
 				if (Z_TYPE_P(dim) != IS_LONG) {
 					switch(Z_TYPE_P(dim)) {
 						/* case IS_LONG: */
@@ -956,9 +960,6 @@ convert_to_array:
 					convert_to_long(&tmp);
 					dim = &tmp;
 				}
-				if (type != BP_VAR_UNSET) {
-					SEPARATE_ZVAL_IF_NOT_REF(container_ptr);
-				}
 				container = *container_ptr;
 				result->str_offset.str = container;
 				PZVAL_LOCK(container);

From c96a5bc6be99ff8a4c5dbc1ea3c04d8144bc47a9 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Thu, 4 Apr 2013 14:34:11 +0800
Subject: [PATCH 2/4] Fixed bug #64578 (debug_backtrace in set_error_handler
 corrupts zend heap: segfault)

---
 NEWS                     |  3 +++
 Zend/tests/bug64578.phpt | 15 +++++++++++++++
 Zend/zend_execute.c      |  7 ++++---
 3 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/bug64578.phpt

diff --git a/NEWS b/NEWS
index 18fe3e5c4a4..78390168fe9 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2013, PHP 5.3.25
 
+- Core:
+  . Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: 
+	segfault). (Laruence)
 
 
 ?? ??? 2013, PHP 5.3.24
diff --git a/Zend/tests/bug64578.phpt b/Zend/tests/bug64578.phpt
new file mode 100644
index 00000000000..65c51d94ffd
--- /dev/null
+++ b/Zend/tests/bug64578.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
+--FILE--
+<?php
+function x($s) { 
+	$resource = fopen("php://input", "r"); 
+	$s[$resource] = '2';
+}
+$y = "1";
+x($y);
+var_dump($y);
+?>
+--EXPECTF--
+Warning: Illegal offset type in %sbug64578.php on line %d
+string(1) "1"
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index de7cd4a4864..16dc08e5020 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -937,6 +937,10 @@ convert_to_array:
 					zend_error_noreturn(E_ERROR, "[] operator not supported for strings");
 				}
 
+				if (type != BP_VAR_UNSET) {
+					SEPARATE_ZVAL_IF_NOT_REF(container_ptr);
+				}
+
 				if (Z_TYPE_P(dim) != IS_LONG) {
 					switch(Z_TYPE_P(dim)) {
 						/* case IS_LONG: */
@@ -956,9 +960,6 @@ convert_to_array:
 					convert_to_long(&tmp);
 					dim = &tmp;
 				}
-				if (type != BP_VAR_UNSET) {
-					SEPARATE_ZVAL_IF_NOT_REF(container_ptr);
-				}
 				container = *container_ptr;
 				result->str_offset.str = container;
 				PZVAL_LOCK(container);

From 82ac3106e061b31ccbbf53a5276eae441254057d Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Thu, 4 Apr 2013 14:47:49 +0800
Subject: [PATCH 3/4] Use 5.4 specifical warnnig & Update NEWs

---
 NEWS                     |  2 ++
 Zend/tests/bug64578.phpt | 16 +++++++---------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/NEWS b/NEWS
index 7960f65d9b0..951a96a44fd 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2013, PHP 5.4.15
 - Core:
+  . Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: 
+	segfault). (Laruence)
   . Fixed bug #64433 (follow_location parameter of context is ignored for most 
     response codes). (Sergey Akbarov)
 
diff --git a/Zend/tests/bug64578.phpt b/Zend/tests/bug64578.phpt
index 65c51d94ffd..73b3ec4f970 100644
--- a/Zend/tests/bug64578.phpt
+++ b/Zend/tests/bug64578.phpt
@@ -2,14 +2,12 @@
 Bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
 --FILE--
 <?php
-function x($s) { 
-	$resource = fopen("php://input", "r"); 
-	$s[$resource] = '2';
-}
-$y = "1";
+
+set_error_handler(function() { debug_backtrace(); });
+
+function x($s) { $s['a'] = 1; };
+$y = '1';
 x($y);
-var_dump($y);
-?>
+print_r($y);
 --EXPECTF--
-Warning: Illegal offset type in %sbug64578.php on line %d
-string(1) "1"
+1

From 34c5b80595b11ae072733913628ac972f8cb8b04 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Thu, 4 Apr 2013 14:49:22 +0800
Subject: [PATCH 4/4] Update NEWs

---
 NEWS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/NEWS b/NEWS
index 974df5e9ed8..67b7bf7e990 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 20??, PHP 5.5.0 Beta 3
 
 - Core:
+  . Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: 
+	segfault). (Laruence)
   . Fixed bug #64565 (copy doesn't report failure on partial copy). (Remi)
   . Fixed bug #64555 (foreach no longer copies keys if they are interned).
     (Nikita Popov)