diff --git a/NEWS b/NEWS index 8bb9f28fc34..e3d81786460 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2017 PHP 7.0.26 - Core: + . Fixed bug #75420 (Crash when modifing property name in __isset for + BP_VAR_IS). (Laruence) . Fixed bug #75368 (mmap/munmap trashing on unlucky allocations). (Nikita, Dmitry) diff --git a/Zend/tests/bug75420.phpt b/Zend/tests/bug75420.phpt new file mode 100644 index 00000000000..890fbe5ad59 --- /dev/null +++ b/Zend/tests/bug75420.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #75420 (Crash when modifing property name in __isset for BP_VAR_IS) +--FILE-- +$name ?? 12); +?> +--EXPECT-- diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 9ce9f1df1ac..22455b9254d 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -510,6 +510,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ zval tmp_member; zval *retval; uint32_t property_offset; + zend_long *guard = NULL; zobj = Z_OBJ_P(object); @@ -545,7 +546,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ /* magic isset */ if ((type == BP_VAR_IS) && zobj->ce->__isset) { zval tmp_object, tmp_result; - zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member)); + guard = zend_get_property_guard(zobj, Z_STR_P(member)); if (!((*guard) & IN_ISSET)) { ZVAL_COPY(&tmp_object, object); @@ -569,7 +570,9 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ /* magic get */ if (zobj->ce->__get) { - zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member)); + if (guard == NULL) { + guard = zend_get_property_guard(zobj, Z_STR_P(member)); + } if (!((*guard) & IN_GET)) { zval tmp_object;