From c96a5bc6be99ff8a4c5dbc1ea3c04d8144bc47a9 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Thu, 4 Apr 2013 14:34:11 +0800 Subject: [PATCH] Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault) --- NEWS | 3 +++ Zend/tests/bug64578.phpt | 15 +++++++++++++++ Zend/zend_execute.c | 7 ++++--- 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 Zend/tests/bug64578.phpt diff --git a/NEWS b/NEWS index 18fe3e5c4a4..78390168fe9 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2013, PHP 5.3.25 +- Core: + . Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: + segfault). (Laruence) ?? ??? 2013, PHP 5.3.24 diff --git a/Zend/tests/bug64578.phpt b/Zend/tests/bug64578.phpt new file mode 100644 index 00000000000..65c51d94ffd --- /dev/null +++ b/Zend/tests/bug64578.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault) +--FILE-- + +--EXPECTF-- +Warning: Illegal offset type in %sbug64578.php on line %d +string(1) "1" diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index de7cd4a4864..16dc08e5020 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -937,6 +937,10 @@ convert_to_array: zend_error_noreturn(E_ERROR, "[] operator not supported for strings"); } + if (type != BP_VAR_UNSET) { + SEPARATE_ZVAL_IF_NOT_REF(container_ptr); + } + if (Z_TYPE_P(dim) != IS_LONG) { switch(Z_TYPE_P(dim)) { /* case IS_LONG: */ @@ -956,9 +960,6 @@ convert_to_array: convert_to_long(&tmp); dim = &tmp; } - if (type != BP_VAR_UNSET) { - SEPARATE_ZVAL_IF_NOT_REF(container_ptr); - } container = *container_ptr; result->str_offset.str = container; PZVAL_LOCK(container);