Fixed bug #71300 (Segfault in zend_fetch_string_offset)

2025-01-23 04:04:16 +08:00 · 2016-01-07 07:05:17 -08:00 · 2016-01-07 07:05:17 -08:00 · 16a2b47394
commit 16a2b47394
parent 83cb751047
3 changed files with 36 additions and 3 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.3

 - Core:
+  . Fixed bug #71300 (Segfault in zend_fetch_string_offset). (Laruence)
  . Fixed bug #71221 (Null pointer deref (segfault) in get_defined_vars via
    ob_start). (hugh at allthethings dot co dot nz)
  . Fixed bug #71201 (round() segfault on 64-bit builds). (Anatol)
--- a/Zend/tests/bug71300.phpt
+++ b/Zend/tests/bug71300.phpt
@ -0,0 +1,28 @@
+--TEST--
+Bug #71300 (Segfault in zend_fetch_string_offset)
+--FILE--
+<?php
+function test1() {
+	for ($n = 'a'; $n < 'g'; $n++) {
+		$$n = 1;
+	}
+	$$n = $$n[++$n] = "test";
+	return $$n;
+}
+
+var_dump(test1());
+
+function test2() {
+    /* See #71303 for why not using for loop here */
+	$n = "a";
+	$$n .= $$n[++$n] = "test";
+	return $$n;
+}
+
+var_dump(test2());
+?>
+--EXPECTF--
+string(4) "test"
+
+Notice: Array to string conversion in %sbug71300.php on line %d
+string(9) "Arraytest"
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@ -1999,7 +1999,7 @@ static zend_op *zend_delayed_compile_end(uint32_t offset) /* {{{ */
 	zend_op *opline = NULL, *oplines = zend_stack_base(&CG(delayed_oplines_stack));
 	uint32_t i, count = zend_stack_count(&CG(delayed_oplines_stack));

-	ZEND_ASSERT(count > offset);
+	ZEND_ASSERT(count >= offset);
 	for (i = offset; i < count; ++i) {
 		opline = get_next_op(CG(active_op_array));
 		memcpy(opline, &oplines[i], sizeof(zend_op));
@ -2535,8 +2535,10 @@ void zend_compile_assign(znode *result, zend_ast *ast) /* {{{ */
 	switch (var_ast->kind) {
 		case ZEND_AST_VAR:
 		case ZEND_AST_STATIC_PROP:
-			zend_compile_var(&var_node, var_ast, BP_VAR_W);
+			offset = zend_delayed_compile_begin();
+			zend_delayed_compile_var(&var_node, var_ast, BP_VAR_W);
 			zend_compile_expr(&expr_node, expr_ast);
+			zend_delayed_compile_end(offset);
 			zend_emit_op(result, ZEND_ASSIGN, &var_node, &expr_node);
 			return;
 		case ZEND_AST_DIM:
@ -2634,8 +2636,10 @@ void zend_compile_compound_assign(znode *result, zend_ast *ast) /* {{{ */
 	switch (var_ast->kind) {
 		case ZEND_AST_VAR:
 		case ZEND_AST_STATIC_PROP:
-			zend_compile_var(&var_node, var_ast, BP_VAR_RW);
+			offset = zend_delayed_compile_begin();
+			zend_delayed_compile_var(&var_node, var_ast, BP_VAR_RW);
 			zend_compile_expr(&expr_node, expr_ast);
+			zend_delayed_compile_end(offset);
 			zend_emit_op(result, opcode, &var_node, &expr_node);
 			return;
 		case ZEND_AST_DIM: