Fix Foo::${42} and similar

Fixes segfault on direct use, segfault on opcache evaluated use, leak on temporary use. Fixes analogeous segfault for ${42} on opcache eval as well.
2024-11-24 10:24:11 +08:00 · 2015-12-10 18:12:59 +01:00 · 2015-12-10 18:12:59 +01:00 · 37f3425263
commit 37f3425263
parent a19f511345
5 changed files with 89 additions and 0 deletions
--- a/Zend/tests/int_static_prop_name.phpt
+++ b/Zend/tests/int_static_prop_name.phpt
@ -0,0 +1,43 @@
+--TEST--
+Using an integer as a static property name
+--FILE--
+<?php
+
+class Foo {
+    public static $bar = 42;
+}
+
+$n = 42;
+
+${42} = 24;
+var_dump(${42});
+var_dump(${(int) 42});
+var_dump(${(int) $n});
+
+try {
+    var_dump(Foo::${42});
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    var_dump(Foo::${(int) 42});
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    var_dump(Foo::${(int) $n});
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+int(24)
+int(24)
+int(24)
+Access to undeclared static property: Foo::$42
+Access to undeclared static property: Foo::$42
+Access to undeclared static property: Foo::$42
+
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@ -2379,6 +2379,7 @@ zend_op *zend_compile_static_prop_common(znode *result, zend_ast *ast, uint32_t
 		opline = zend_emit_op(result, ZEND_FETCH_R, &prop_node, NULL);
 	}
 	if (opline->op1_type == IS_CONST) {
+		convert_to_string(CT_CONSTANT(opline->op1));
 		zend_alloc_polymorphic_cache_slot(opline->op1.constant);
 	}
 	if (class_node.op_type == IS_CONST) {
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@ -1537,6 +1537,9 @@ ZEND_VM_HELPER_EX(zend_fetch_var_address_helper, CONST|TMPVAR|CV, UNUSED|CONST|V
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if (OP1_TYPE != IS_CONST) {
+				zend_string_release(name);
+			}
 			FREE_OP1();
 			HANDLE_EXCEPTION();
 		}
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@ -4996,6 +4996,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if (IS_CONST != IS_CONST) {
+				zend_string_release(name);
+			}

 			HANDLE_EXCEPTION();
 		}
@ -6912,6 +6915,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if (IS_CONST != IS_CONST) {
+				zend_string_release(name);
+			}

 			HANDLE_EXCEPTION();
 		}
@ -7415,6 +7421,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if (IS_CONST != IS_CONST) {
+				zend_string_release(name);
+			}

 			HANDLE_EXCEPTION();
 		}
@ -31013,6 +31022,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if (IS_CV != IS_CONST) {
+				zend_string_release(name);
+			}

 			HANDLE_EXCEPTION();
 		}
@ -33221,6 +33233,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if (IS_CV != IS_CONST) {
+				zend_string_release(name);
+			}

 			HANDLE_EXCEPTION();
 		}
@ -34165,6 +34180,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if (IS_CV != IS_CONST) {
+				zend_string_release(name);
+			}

 			HANDLE_EXCEPTION();
 		}
@ -41357,6 +41375,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if ((IS_TMP_VAR|IS_VAR) != IS_CONST) {
+				zend_string_release(name);
+			}
 			zval_ptr_dtor_nogc(free_op1);
 			HANDLE_EXCEPTION();
 		}
@ -42345,6 +42366,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if ((IS_TMP_VAR|IS_VAR) != IS_CONST) {
+				zend_string_release(name);
+			}
 			zval_ptr_dtor_nogc(free_op1);
 			HANDLE_EXCEPTION();
 		}
@ -42753,6 +42777,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_address_helper_SPEC_
 		}
 		retval = zend_std_get_static_property(ce, name, 0);
 		if (UNEXPECTED(EG(exception))) {
+			if ((IS_TMP_VAR|IS_VAR) != IS_CONST) {
+				zend_string_release(name);
+			}
 			zval_ptr_dtor_nogc(free_op1);
 			HANDLE_EXCEPTION();
 		}
--- a/ext/opcache/Optimizer/zend_optimizer.c
+++ b/ext/opcache/Optimizer/zend_optimizer.c
@ -175,6 +175,21 @@ int zend_optimizer_update_op1_const(zend_op_array *op_array,
 			op_array->cache_size += sizeof(void*);
 			zend_optimizer_add_literal_string(op_array, zend_string_tolower(Z_STR_P(val)));
 			break;
+		case ZEND_FETCH_R:
+		case ZEND_FETCH_W:
+		case ZEND_FETCH_RW:
+		case ZEND_FETCH_IS:
+		case ZEND_FETCH_UNSET:
+		case ZEND_FETCH_FUNC_ARG:
+			TO_STRING_NOWARN(val);
+			ZEND_OP1_TYPE(opline) = IS_CONST;
+			opline->op1.constant = zend_optimizer_add_literal(op_array, val);
+			zend_string_hash_val(Z_STR(ZEND_OP1_LITERAL(opline)));
+			if (opline->extended_value == ZEND_FETCH_STATIC_MEMBER) {
+				Z_CACHE_SLOT(op_array->literals[opline->op1.constant]) = op_array->cache_size;
+				op_array->cache_size += 2 * sizeof(void*);
+			}
+			break;
 		case ZEND_CONCAT:
 		case ZEND_FAST_CONCAT:
 			TO_STRING_NOWARN(val);