Skip to content

Commit cf4c4ee

Browse files
dstogovdstogov
committed
Merge branch 'PHP-7.4'
* PHP-7.4: Fixed bug #78531 (Crash when using undefined variable as object
2 parents 86a56f8 + 51d9f32 commit cf4c4ee

File tree

4 files changed

+59
-50
lines changed

4 files changed

+59
-50
lines changed

Zend/tests/bug78531.phpt

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
--TEST--
2+
Bug #78531 (Crash when using undefined variable as object)
3+
--FILE--
4+
<?php
5+
@$u1->a += 5;
6+
var_dump($u1->a);
7+
@$x = ++$u2->a;
8+
var_dump($u2->a);
9+
@$x = $u3->a++;
10+
var_dump($u3->a);
11+
@$u4->a->a += 5;
12+
var_dump($u4->a->a);
13+
?>
14+
--EXPECT--
15+
int(5)
16+
int(1)
17+
int(1)
18+
int(5)

Zend/zend_execute.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2734,7 +2734,7 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
27342734
if (container_op_type == IS_CV
27352735
&& type != BP_VAR_W
27362736
&& UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) {
2737-
container = ZVAL_UNDEFINED_OP1();
2737+
ZVAL_UNDEFINED_OP1();
27382738
}
27392739

27402740
/* this should modify object only if it's empty */

Zend/zend_vm_def.h

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1067,7 +1067,7 @@ ZEND_VM_HANDLER(28, ZEND_ASSIGN_OBJ_OP, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, OP)
10671067
}
10681068
if (OP1_TYPE == IS_CV
10691069
&& UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {
1070-
object = ZVAL_UNDEFINED_OP1();
1070+
ZVAL_UNDEFINED_OP1();
10711071
}
10721072
object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);
10731073
if (UNEXPECTED(!object)) {
@@ -1253,7 +1253,6 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):
12531253
zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC);
12541254
} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
12551255
if (OP1_TYPE == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) {
1256-
ZVAL_NULL(container);
12571256
ZVAL_UNDEFINED_OP1();
12581257
}
12591258
ZVAL_ARR(container, zend_new_array(8));
@@ -1337,7 +1336,7 @@ ZEND_VM_HANDLER(132, ZEND_PRE_INC_OBJ, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, CACH
13371336
}
13381337
if (OP1_TYPE == IS_CV
13391338
&& UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {
1340-
object = ZVAL_UNDEFINED_OP1();
1339+
ZVAL_UNDEFINED_OP1();
13411340
}
13421341
object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);
13431342
if (UNEXPECTED(!object)) {
@@ -1417,7 +1416,7 @@ ZEND_VM_HANDLER(134, ZEND_POST_INC_OBJ, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, CAC
14171416
}
14181417
if (OP1_TYPE == IS_CV
14191418
&& UNEXPECTED(Z_TYPE_P(object) == IS_UNDEF)) {
1420-
object = ZVAL_UNDEFINED_OP1();
1419+
ZVAL_UNDEFINED_OP1();
14211420
}
14221421
object = make_real_object(object, property OPLINE_CC EXECUTE_DATA_CC);
14231422
if (UNEXPECTED(!object)) {
@@ -6233,7 +6232,7 @@ ZEND_VM_HANDLER(76, ZEND_UNSET_OBJ, VAR|UNUSED|THIS|CV, CONST|TMPVAR|CV, CACHE_S
62336232
if (Z_TYPE_P(container) != IS_OBJECT) {
62346233
if (OP1_TYPE == IS_CV
62356234
&& UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) {
6236-
container = ZVAL_UNDEFINED_OP1();
6235+
ZVAL_UNDEFINED_OP1();
62376236
}
62386237
break;
62396238
}

0 commit comments

Comments
 (0)