| Dmitry Stogov 2006-10-30, 7:02 pm |
| dmitry Mon Oct 30 11:04:47 2006 UTC
Modified files:
/ZendEngine2 zend_vm_def.h zend_vm_execute.h
/ZendEngine2/tests bug39304.phpt
Log:
Fixed bug #39304 (Segmentation fault with list unpacking of string offset)
http://cvs.php.net/viewvc.cgi/ZendE...9&diff_format=u
Index: ZendEngine2/zend_vm_def.h
diff -u ZendEngine2/zend_vm_def.h:1.148 ZendEngine2/zend_vm_def.h:1.149
--- ZendEngine2/zend_vm_def.h:1.148 Wed Oct 18 16:34:25 2006
+++ ZendEngine2/zend_vm_def.h Mon Oct 30 11:04:47 2006
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: zend_vm_def.h,v 1.148 2006/10/18 16:34:25 johannes Exp $ */
+/* $Id: zend_vm_def.h,v 1.149 2006/10/30 11:04:47 dmitry Exp $ */
/* If you change this file, please regenerate the zend_vm_execute.h and
* zend_vm_opcodes.h files by running:
@@ -1055,7 +1055,9 @@
zend_free_op free_op1, free_op2;
zval *dim = GET_OP2_ZVAL_PTR(BP_VAR_R);
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && OP1_TYPE != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ OP1_TYPE != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), GET_OP1_ZVAL_PTR_PTR(BP_VAR_R), dim, IS_OP2_TMP_FREE(), BP_VAR_R TSRMLS_CC);
http://cvs.php.net/viewvc.cgi/ZendE...3&diff_format=u
Index: ZendEngine2/zend_vm_execute.h
diff -u ZendEngine2/zend_vm_execute.h:1.152 ZendEngine2/zend_vm_execute.h:1.153
--- ZendEngine2/zend_vm_execute.h:1.152 Wed Oct 18 16:34:25 2006
+++ ZendEngine2/zend_vm_execute.h Mon Oct 30 11:04:47 2006
@@ -9030,7 +9030,9 @@
zend_free_op free_op1;
zval *dim = &opline->op2.u.constant;
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_VAR != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -10567,7 +10569,9 @@
zend_free_op free_op1, free_op2;
zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_VAR != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC);
@@ -12107,7 +12111,9 @@
zend_free_op free_op1, free_op2;
zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_VAR != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -14120,7 +14126,9 @@
zend_free_op free_op1;
zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_VAR != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_VAR != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -21416,7 +21424,9 @@
zval *dim = &opline->op2.u.constant;
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_CV != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -22945,7 +22955,9 @@
zend_free_op free_op2;
zval *dim = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_CV != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 1, BP_VAR_R TSRMLS_CC);
@@ -24477,7 +24489,9 @@
zend_free_op free_op2;
zval *dim = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_CV != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
@@ -26480,7 +26494,9 @@
zval *dim = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
- if (opline->extended_value == ZEND_FETCH_ADD_LOCK && IS_CV != IS_CV) {
+ if (opline->extended_value == ZEND_FETCH_ADD_LOCK &&
+ IS_CV != IS_CV &&
+ EX_T(opline->op1.u.var).var.ptr_ptr) {
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
}
zend_fetch_dimension_address(RETURN_VALU
E_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC), dim, 0, BP_VAR_R TSRMLS_CC);
http://cvs.php.net/viewvc.cgi/ZendE...2&diff_format=u
Index: ZendEngine2/tests/bug39304.phpt
diff -u /dev/null ZendEngine2/tests/bug39304.phpt:1.2
--- /dev/null Mon Oct 30 11:04:47 2006
+++ ZendEngine2/tests/bug39304.phpt Mon Oct 30 11:04:47 2006
@@ -0,0 +1,9 @@
+--TEST--
+Bug #39304 (Segmentation fault with list unpacking of string offset)
+--FILE--
+<?php
+ $s = "";
+ list($a, $b) = $s[0];
+?>
+--EXPECTF--
+Fatal error: Cannot use string offset as an array in %sbug39304.php on line 3
|