php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #70182
Patch bug-70182.patch revision 2015-08-02 08:12 UTC by hugh at allthethings dot co dot nz

Patch bug-70182.patch for Reproducible crash Bug #70182

Patch version 2015-08-02 08:12 UTC

Return to Bug #70182 | Download this patch
Patch Revisions:

Developer: hugh@allthethings.co.nz

Author: Hugh Davenport <hugh@allthethings.co.nz>
Date:   Sun Aug 2 03:50:38 2015 -0400

    Fixed bug #70182 (Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER)

diff --git a/Zend/tests/bug70182.phpt b/Zend/tests/bug70182.phpt
new file mode 100644
index 0000000..5f11bd8
--- /dev/null
+++ b/Zend/tests/bug70182.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #70182 (Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER)
+--FILE--
+<?php
+$a[]/=$a=a
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: [] operator not supported for strings in %sbug70182.php:2
+Stack trace:
+#0 {main}
+  thrown in %sbug70182.php on line 2
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 065809f..8f7bd0d 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1687,7 +1687,7 @@ convert_to_array:
 
                if (dim == NULL) {
                        zend_throw_error(NULL, "[] operator not supported for strings");
-                       ZVAL_NULL(result);
+                       ZVAL_INDIRECT(result, &EG(error_zval)); /* ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER assumes an INDIRECT zvalue on return */
                } else {
                        zend_check_string_offset(dim, type);
                        ZVAL_INDIRECT(result, NULL); /* wrong string offset */
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 09 10:01:27 2024 UTC