Fix ZEND_SEPARATE for by-val func returning ref zval

2024-11-27 11:53:33 +08:00 · 2016-04-12 14:39:05 +02:00 · 2016-04-12 14:39:05 +02:00 · 4e585eb429
commit 4e585eb429
parent 6a2eee520a
3 changed files with 31 additions and 0 deletions
--- a/Zend/tests/modify_isref_value_return.phpt
+++ b/Zend/tests/modify_isref_value_return.phpt
@ -0,0 +1,25 @@
+--TEST--
+Indirect modification of isref by-value return value not possible
+--FILE--
+<?php
+
+class A {
+    public $b;
+}
+
+$arr = [];
+
+$a = new A;
+$a->b =& $arr;
+
+(new ReflectionProperty('A', 'b'))->getValue($a)[] = 42;
+
+var_dump($a);
+
+?>
+--EXPECT--
+object(A)#1 (1) {
+  ["b"]=>
+  &array(0) {
+  }
+}
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@ -7301,6 +7301,9 @@ ZEND_VM_HANDLER(156, ZEND_SEPARATE, VAR, UNUSED)
 	if (UNEXPECTED(Z_ISREF_P(var_ptr))) {
 		if (UNEXPECTED(Z_REFCOUNT_P(var_ptr) == 1)) {
 			ZVAL_UNREF(var_ptr);
+		} else if (!(Z_VAR_FLAGS_P(var_ptr) & IS_VAR_RET_REF)) {
+			Z_DELREF_P(var_ptr);
+			ZVAL_COPY(var_ptr, Z_REFVAL_P(var_ptr));
 		}
 	}

--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@ -19509,6 +19509,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_SEPARATE_SPEC_VAR_UNUSED_HANDL
 	if (UNEXPECTED(Z_ISREF_P(var_ptr))) {
 		if (UNEXPECTED(Z_REFCOUNT_P(var_ptr) == 1)) {
 			ZVAL_UNREF(var_ptr);
+		} else if (!(Z_VAR_FLAGS_P(var_ptr) & IS_VAR_RET_REF)) {
+			Z_DELREF_P(var_ptr);
+			ZVAL_COPY(var_ptr, Z_REFVAL_P(var_ptr));
 		}
 	}