php-bug-75573.patch

   1 commit 3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8
   2 Author: Xinchen Hui <laruence@gmail.com>
   3 Date:   Wed Nov 29 14:46:21 2017 +0800
   4
   5     Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
   6
   7 diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt
   8 new file mode 100644
   9 index 0000000000..476ff6e6cf
  10 --- /dev/null
  11 +++ b/Zend/tests/bug75573.phpt
  12 @@ -0,0 +1,64 @@
  13 +--TEST--
  14 +Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
  15 +--FILE--
  16 +<?php
  17 +
  18 +class A
  19 +{
  20 +       var $_stdObject;
  21 +       function initialize($properties = FALSE) {
  22 +               $this->_stdObject = $properties ? (object) $properties : new stdClass();
  23 +               parent::initialize();
  24 +       }
  25 +       function &__get($property)
  26 +       {
  27 +               if (isset($this->_stdObject->{$property})) {
  28 +                       $retval =& $this->_stdObject->{$property};
  29 +                       return $retval;
  30 +               } else {
  31 +                       return NULL;
  32 +               }
  33 +       }
  34 +       function &__set($property, $value)
  35 +       {
  36 +               return $this->_stdObject->{$property} = $value;
  37 +       }
  38 +       function __isset($property_name)
  39 +       {
  40 +               return isset($this->_stdObject->{$property_name});
  41 +       }
  42 +}
  43 +
  44 +class B extends A
  45 +{
  46 +       function initialize($properties = array())
  47 +       {
  48 +               parent::initialize($properties);
  49 +       }
  50 +       function &__get($property)
  51 +       {
  52 +               if (isset($this->settings) && isset($this->settings[$property])) {
  53 +                       $retval =& $this->settings[$property];
  54 +                       return $retval;
  55 +               } else {
  56 +                       return parent::__get($property);
  57 +               }
  58 +       }
  59 +}
  60 +
  61 +$b = new B();
  62 +$b->settings = [ "foo" => "bar", "name" => "abc" ];
  63 +var_dump($b->name);
  64 +var_dump($b->settings);
  65 +?>
  66 +--EXPECTF--
  67 +Warning: Creating default object from empty value in %sbug75573.php on line %d
  68 +
  69 +Notice: Only variable references should be returned by reference in %sbug75573.php on line %d
  70 +string(3) "abc"
  71 +array(2) {
  72 +  ["foo"]=>
  73 +  string(3) "bar"
  74 +  ["name"]=>
  75 +  string(3) "abc"
  76 +}
  77 diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
  78 index 10045b53f1..d9ebd842eb 100644
  79 --- a/Zend/zend_object_handlers.c
  80 +++ b/Zend/zend_object_handlers.c
  81 @@ -668,13 +668,11 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
  82                         }
  83                         zval_ptr_dtor(&tmp_object);
  84                         goto exit;
  85 -               } else {
  86 +               } else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
  87                         zval_ptr_dtor(&tmp_object);
  88 -                       if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
  89 -                               zend_throw_error(NULL, "Cannot access property started with '\\0'");
  90 -                               retval = &EG(uninitialized_zval);
  91 -                               goto exit;
  92 -                       }
  93 +                       zend_throw_error(NULL, "Cannot access property started with '\\0'");
  94 +                       retval = &EG(uninitialized_zval);
  95 +                       goto exit;
  96                 }
  97         }
  98