Fixed bug #78531 (Crash when using undefined variable as object

dstogov · dstogov · commit 51d9f32dbeae · 2019-09-13T01:42:02.000+03:00
diff --git a/NEWS b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.4.0RC2
 
+- Core:
+  . Fixed bug #78531 (Crash when using undefined variable as object). (Dmitry)
+
 - FFI:
   . Added missing FFI::isNull(). (Philip Hofstetter)
   . Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)). (Dmitry)
diff --git a/Zend/tests/bug78531.phpt b/Zend/tests/bug78531.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #78531 (Crash when using undefined variable as object)
+--FILE--
+<?php
+@$u1->a += 5;
+var_dump($u1->a);
+@$x = ++$u2->a;
+var_dump($u2->a);
+@$x = $u3->a++;
+var_dump($u3->a);
+@$u4->a->a += 5;
+var_dump($u4->a->a);
+?>
+--EXPECT--
+int(5)
+int(1)
+int(1)
+int(5)
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -2760,7 +2760,7 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			if (container_op_type == IS_CV
 			 && type != BP_VAR_W
 			 && UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) {
-				container = ZVAL_UNDEFINED_OP1();
+				ZVAL_UNDEFINED_OP1();
 			}
 
 			/* this should modify object only if it's empty */
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1088,7 +1088,7 @@ ZEND_VM_HANDLER(28, ZEND_ASSIGN_OBJ_OP, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, OP)
 			}
 			if (OP1_TYPE == IS_CV
 			 && UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {
-				object = ZVAL_UNDEFINED_OP1();
+				ZVAL_UNDEFINED_OP1();
 			}
 			object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);
 			if (UNEXPECTED(!object)) {
@@ -1263,7 +1263,6 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):
 			zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC);
 		} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 			if (OP1_TYPE == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) {
-				ZVAL_NULL(container);
 				ZVAL_UNDEFINED_OP1();
 			}
 			ZVAL_ARR(container, zend_new_array(8));
@@ -1347,7 +1346,7 @@ ZEND_VM_HANDLER(132, ZEND_PRE_INC_OBJ, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, CACH
 			}
 			if (OP1_TYPE == IS_CV
 			 && UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {
-				object = ZVAL_UNDEFINED_OP1();
+				ZVAL_UNDEFINED_OP1();
 			}
 			object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);
 			if (UNEXPECTED(!object)) {
@@ -1413,7 +1412,7 @@ ZEND_VM_HANDLER(134, ZEND_POST_INC_OBJ, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, CAC
 			}
 			if (OP1_TYPE == IS_CV
 			 && UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {
-				object = ZVAL_UNDEFINED_OP1();
+				ZVAL_UNDEFINED_OP1();
 			}
 			object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);
 			if (UNEXPECTED(!object)) {
@@ -6249,7 +6248,7 @@ ZEND_VM_HANDLER(76, ZEND_UNSET_OBJ, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, CACHE_S
 				if (Z_TYPE_P(container) != IS_OBJECT) {
 					if (OP1_TYPE == IS_CV
 					 && UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) {
-						container = ZVAL_UNDEFINED_OP1();
+						ZVAL_UNDEFINED_OP1();
 					}
 					break;
 				}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

Original file line number	Diff line number	Diff line change
`@@ -2760,7 +2760,7 @@ static zend_always_inline void zend_fetch_property_address(zval result, zval c`
`2760`	`2760`	`if (container_op_type == IS_CV`
`2761`	`2761`	`&& type != BP_VAR_W`
`2762`	`2762`	`&& UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) {`
`2763`		`- container = ZVAL_UNDEFINED_OP1();`
	`2763`	`+ ZVAL_UNDEFINED_OP1();`
`2764`	`2764`	`}`
`2765`	`2765`
`2766`	`2766`	`/* this should modify object only if it's empty */`
Original file line number	Diff line number	Diff line change
`@@ -1088,7 +1088,7 @@ ZEND_VM_HANDLER(28, ZEND_ASSIGN_OBJ_OP, VAR\|UNUSED\|THIS\|CV, CONST\|TMPVAR\|CV, OP)`
`1088`	`1088`	`}`
`1089`	`1089`	`if (OP1_TYPE == IS_CV`
`1090`	`1090`	`&& UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {`
`1091`		`- object = ZVAL_UNDEFINED_OP1();`
	`1091`	`+ ZVAL_UNDEFINED_OP1();`
`1092`	`1092`	`}`
`1093`	`1093`	`object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);`
`1094`	`1094`	`if (UNEXPECTED(!object)) {`
`@@ -1263,7 +1263,6 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):`
`1263`	`1263`	`zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC);`
`1264`	`1264`	`} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {`
`1265`	`1265`	`if (OP1_TYPE == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) {`
`1266`		`- ZVAL_NULL(container);`
`1267`	`1266`	`ZVAL_UNDEFINED_OP1();`
`1268`	`1267`	`}`
`1269`	`1268`	`ZVAL_ARR(container, zend_new_array(8));`
`@@ -1347,7 +1346,7 @@ ZEND_VM_HANDLER(132, ZEND_PRE_INC_OBJ, VAR\|UNUSED\|THIS\|CV, CONST\|TMPVAR\|CV, CACH`
`1347`	`1346`	`}`
`1348`	`1347`	`if (OP1_TYPE == IS_CV`
`1349`	`1348`	`&& UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {`
`1350`		`- object = ZVAL_UNDEFINED_OP1();`
	`1349`	`+ ZVAL_UNDEFINED_OP1();`
`1351`	`1350`	`}`
`1352`	`1351`	`object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);`
`1353`	`1352`	`if (UNEXPECTED(!object)) {`
`@@ -1413,7 +1412,7 @@ ZEND_VM_HANDLER(134, ZEND_POST_INC_OBJ, VAR\|UNUSED\|THIS\|CV, CONST\|TMPVAR\|CV, CAC`
`1413`	`1412`	`}`
`1414`	`1413`	`if (OP1_TYPE == IS_CV`
`1415`	`1414`	`&& UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {`
`1416`		`- object = ZVAL_UNDEFINED_OP1();`
	`1415`	`+ ZVAL_UNDEFINED_OP1();`
`1417`	`1416`	`}`
`1418`	`1417`	`object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);`
`1419`	`1418`	`if (UNEXPECTED(!object)) {`
`@@ -6249,7 +6248,7 @@ ZEND_VM_HANDLER(76, ZEND_UNSET_OBJ, VAR\|UNUSED\|THIS\|CV, CONST\|TMPVAR\|CV, CACHE_S`
`6249`	`6248`	`if (Z_TYPE_P(container) != IS_OBJECT) {`
`6250`	`6249`	`if (OP1_TYPE == IS_CV`
`6251`	`6250`	`&& UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) {`
`6252`		`- container = ZVAL_UNDEFINED_OP1();`
	`6251`	`+ ZVAL_UNDEFINED_OP1();`
`6253`	`6252`	`}`
`6254`	`6253`	`break;`
`6255`	`6254`	`}`