diff options
Diffstat (limited to 'php-bug75573.patch')
| -rw-r--r-- | php-bug75573.patch | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/php-bug75573.patch b/php-bug75573.patch new file mode 100644 index 0000000..46cf095 --- /dev/null +++ b/php-bug75573.patch @@ -0,0 +1,107 @@ +From 3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8 Mon Sep 17 00:00:00 2001 +From: Xinchen Hui <laruence@gmail.com> +Date: Wed, 29 Nov 2017 14:46:21 +0800 +Subject: [PATCH] Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26) + +--- + NEWS | 1 + + Zend/tests/bug75573.phpt | 64 +++++++++++++++++++++++++++++++++++++++++++++ + Zend/zend_object_handlers.c | 10 +++---- + 3 files changed, 69 insertions(+), 6 deletions(-) + create mode 100644 Zend/tests/bug75573.phpt + +diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt +new file mode 100644 +index 0000000..476ff6e +--- /dev/null ++++ b/Zend/tests/bug75573.phpt +@@ -0,0 +1,64 @@ ++--TEST-- ++Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26) ++--FILE-- ++<?php ++ ++class A ++{ ++ var $_stdObject; ++ function initialize($properties = FALSE) { ++ $this->_stdObject = $properties ? (object) $properties : new stdClass(); ++ parent::initialize(); ++ } ++ function &__get($property) ++ { ++ if (isset($this->_stdObject->{$property})) { ++ $retval =& $this->_stdObject->{$property}; ++ return $retval; ++ } else { ++ return NULL; ++ } ++ } ++ function &__set($property, $value) ++ { ++ return $this->_stdObject->{$property} = $value; ++ } ++ function __isset($property_name) ++ { ++ return isset($this->_stdObject->{$property_name}); ++ } ++} ++ ++class B extends A ++{ ++ function initialize($properties = array()) ++ { ++ parent::initialize($properties); ++ } ++ function &__get($property) ++ { ++ if (isset($this->settings) && isset($this->settings[$property])) { ++ $retval =& $this->settings[$property]; ++ return $retval; ++ } else { ++ return parent::__get($property); ++ } ++ } ++} ++ ++$b = new B(); ++$b->settings = [ "foo" => "bar", "name" => "abc" ]; ++var_dump($b->name); ++var_dump($b->settings); ++?> ++--EXPECTF-- ++Warning: Creating default object from empty value in %sbug75573.php on line %d ++ ++Notice: Only variable references should be returned by reference in %sbug75573.php on line %d ++string(3) "abc" ++array(2) { ++ ["foo"]=> ++ string(3) "bar" ++ ["name"]=> ++ string(3) "abc" ++} +diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c +index 10045b5..d9ebd84 100644 +--- a/Zend/zend_object_handlers.c ++++ b/Zend/zend_object_handlers.c +@@ -668,13 +668,11 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_ + } + zval_ptr_dtor(&tmp_object); + goto exit; +- } else { ++ } else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) { + zval_ptr_dtor(&tmp_object); +- if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) { +- zend_throw_error(NULL, "Cannot access property started with '\\0'"); +- retval = &EG(uninitialized_zval); +- goto exit; +- } ++ zend_throw_error(NULL, "Cannot access property started with '\\0'"); ++ retval = &EG(uninitialized_zval); ++ goto exit; + } + } + +-- +2.1.4 + |