php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-25 17:08:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug #49866 (Making reference on string offsets crashes PHP)

Browse Source
This commit is contained in:
Dmitry Stogov
2009-12-07 08:47:18 +00:00
parent ebc6dc19d0
commit ee04ea7935
3 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Zend/tests/bug49866.phpt
+10
View File
@@ -0,0 +1,10 @@
--TEST--
Bug #49866 (Making reference on string offsets crashes PHP)
--FILE--
<?php
$a = "string";
$b = &$a[1];
$b = "f";
echo $a;
--EXPECTF--
Fatal error: Cannot create references to/from string offsets nor overloaded objects in %sbug49866.php on line 3
Zend/zend_vm_def.h
+1 -1
View File
@@ -1137,7 +1137,7 @@ ZEND_VM_HANDLER(84, ZEND_FETCH_DIM_W, VAR|CV, CONST|TMP|VAR|UNUSED|CV)
FREE_OP1_VAR_PTR();
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
Zend/zend_vm_execute.h
+10 -10
View File
@@ -10257,7 +10257,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HA
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -12170,7 +12170,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HAND
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -13988,7 +13988,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HAND
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -15394,7 +15394,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_UNUSED_HANDLER(ZEND_OPCODE_H
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -16455,7 +16455,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDL
if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -24637,7 +24637,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HAN
}
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -26369,7 +26369,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDL
}
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -28075,7 +28075,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDL
}
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -29368,7 +29368,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_UNUSED_HANDLER(ZEND_OPCODE_HA
}
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
@@ -30327,7 +30327,7 @@ static int ZEND_FASTCALL ZEND_FETCH_DIM_W_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLE
}
/* We are going to assign the result by reference */
if (opline->extended_value) {
if (opline->extended_value && EX_T(opline->result.u.var).var.ptr_ptr) {
Z_DELREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);
SEPARATE_ZVAL_TO_MAKE_IS_REF(EX_T(opline->result.u.var).var.ptr_ptr);
Z_ADDREF_PP(EX_T(opline->result.u.var).var.ptr_ptr);