Merge branch 'PHP-7.4'

nikic · nikic · commit 74c438180665 · 2020-08-10T10:13:34.000+02:00
* PHP-7.4:
  Fixed bug #79947
diff --git a/Zend/tests/bug79947.phpt b/Zend/tests/bug79947.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #79947: Memory leak on invalid offset type in compound assignment
+--FILE--
+<?php
+$array = [];
+$key = [];
+try {
+    $array[$key] += [$key];
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($array);
+?>
+--EXPECT--
+Illegal offset type
+array(0) {
+}
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -2002,7 +2002,6 @@ static ZEND_COLD void zend_binary_assign_op_dim_slow(zval *container, zval *dim
 	} else {
 		zend_use_scalar_as_array();
 	}
-	FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 }
 
 static zend_never_inline zend_uchar slow_index_convert(HashTable *ht, const zval *dim, zend_value *value EXECUTE_DATA_DC)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1215,6 +1215,7 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 ZEND_VM_C_LABEL(assign_dim_op_ret_null):
+			FREE_OP_DATA();
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -21431,6 +21431,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_VAR_CONST_H
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
@@ -23976,6 +23977,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_VAR_TMPVAR_
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
@@ -26201,6 +26203,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_VAR_UNUSED_
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
@@ -27911,6 +27914,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_VAR_CV_HAND
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
@@ -38602,6 +38606,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_CV_CONST_HA
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
@@ -42214,6 +42219,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_CV_TMPVAR_H
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
@@ -45003,6 +45009,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_CV_UNUSED_H
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}
@@ -47251,6 +47258,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_OP_SPEC_CV_CV_HANDL
 		} else {
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 assign_dim_op_ret_null:
+			FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			}

Original file line number	Diff line number	Diff line change
`@@ -2002,7 +2002,6 @@ static ZEND_COLD void zend_binary_assign_op_dim_slow(zval container, zval dim`
`2002`	`2002`	`} else {`
`2003`	`2003`	`zend_use_scalar_as_array();`
`2004`	`2004`	`}`
`2005`		`- FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);`
`2006`	`2005`	`}`
`2007`	`2006`
`2008`	`2007`	`static zend_never_inline zend_uchar slow_index_convert(HashTable ht, const zval dim, zend_value *value EXECUTE_DATA_DC)`
Original file line number	Diff line number	Diff line change
`@@ -1215,6 +1215,7 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):`
`1215`	`1215`	`} else {`
`1216`	`1216`	`zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);`
`1217`	`1217`	`ZEND_VM_C_LABEL(assign_dim_op_ret_null):`
	`1218`	`+ FREE_OP_DATA();`
`1218`	`1219`	`if (UNEXPECTED(RETURN_VALUE_USED(opline))) {`
`1219`	`1220`	`ZVAL_NULL(EX_VAR(opline->result.var));`
`1220`	`1221`	`}`