Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0: Fix yet another indirect string modification by error handler problem
2026-04-13 02:52:48 +02:00 · 2021-12-02 16:17:26 +03:00
parent b9ff359a99 94286cd596
commit ddcfffad2c
2 changed files with 26 additions and 0 deletions
--- a/Zend/tests/str_offset_008.phpt
+++ b/Zend/tests/str_offset_008.phpt
@@ -0,0 +1,18 @@
+--TEST--
+string offset 008 indirect string modification by error handler
+--FILE--
+<?php
+set_error_handler(function($code, $msg) {
+    echo "Err: $msg\n";
+    $GLOBALS['a']=8;
+});
+$z = "z";
+$a=["xx$z"];
+var_dump($a[0][$b]);
+var_dump($a);
+?>
+--EXPECT--
+Err: Undefined variable $b
+Err: String offset cast occurred
+string(1) "x"
+int(8)
--- a/ext/opcache/jit/zend_jit_helpers.c
+++ b/ext/opcache/jit/zend_jit_helpers.c
@@ -833,7 +833,15 @@ static zend_string* ZEND_FASTCALL zend_jit_fetch_dim_str_r_helper(zend_string *s
 	zend_long offset;

 	if (UNEXPECTED(Z_TYPE_P(dim) != IS_LONG)) {
+		if (!(GC_FLAGS(str) & IS_STR_INTERNED)) {
+			GC_ADDREF(str);
+		}
 		offset = zend_check_string_offset(dim/*, BP_VAR_R*/);
+		if (!(GC_FLAGS(str) & IS_STR_INTERNED) && UNEXPECTED(GC_DELREF(str) == 0)) {
+			zend_string *ret = zend_jit_fetch_dim_str_offset(str, offset);
+			zend_string_efree(str);
+			return ret;
+		}
 	} else {
 		offset = Z_LVAL_P(dim);
 	}