Patch bug-70182.patch for Reproducible crash Bug #70182
Patch version 2015-08-02 08:12 UTC
Return to Bug #70182 |
Download this patch
Patch Revisions:
Developer: hugh@allthethings.co.nz
Author: Hugh Davenport <hugh@allthethings.co.nz>
Date: Sun Aug 2 03:50:38 2015 -0400
Fixed bug #70182 (Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER)
diff --git a/Zend/tests/bug70182.phpt b/Zend/tests/bug70182.phpt
new file mode 100644
index 0000000..5f11bd8
--- /dev/null
+++ b/Zend/tests/bug70182.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #70182 (Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER)
+--FILE--
+<?php
+$a[]/=$a=a
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: [] operator not supported for strings in %sbug70182.php:2
+Stack trace:
+#0 {main}
+ thrown in %sbug70182.php on line 2
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 065809f..8f7bd0d 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1687,7 +1687,7 @@ convert_to_array:
if (dim == NULL) {
zend_throw_error(NULL, "[] operator not supported for strings");
- ZVAL_NULL(result);
+ ZVAL_INDIRECT(result, &EG(error_zval)); /* ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER assumes an INDIRECT zvalue on return */
} else {
zend_check_string_offset(dim, type);
ZVAL_INDIRECT(result, NULL); /* wrong string offset */
|