Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)

php · Nov 29, 2017 · 3b9ba7b · 3b9ba7b
1 parent 6ed242d
commit 3b9ba7b
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 6 deletions.
diff --git a/NEWS b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2017, PHP 7.1.13
 
 - Core:
+  . Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26). (Laruence)
   . Fixed bug #75384 (PHP seems incompatible with OneDrive files on demand).
     (Anatol)
   . Fixed bug #74862 (Unable to clone instance when private __clone defined).

diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt
@@ -0,0 +1,64 @@
+--TEST--
+Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
+--FILE--
+<?php
+
+class A
+{
+	var $_stdObject;
+	function initialize($properties = FALSE) {
+		$this->_stdObject = $properties ? (object) $properties : new stdClass();
+		parent::initialize();
+	}
+	function &__get($property)
+	{
+		if (isset($this->_stdObject->{$property})) {
+			$retval =& $this->_stdObject->{$property};
+			return $retval;
+		} else {
+			return NULL;
+		}
+	}
+	function &__set($property, $value)
+	{
+		return $this->_stdObject->{$property} = $value;
+	}
+	function __isset($property_name)
+	{
+		return isset($this->_stdObject->{$property_name});
+	}
+}
+
+class B extends A
+{
+	function initialize($properties = array())
+	{
+		parent::initialize($properties);
+	}
+	function &__get($property)
+	{
+		if (isset($this->settings) && isset($this->settings[$property])) {
+			$retval =& $this->settings[$property];
+			return $retval;
+		} else {
+			return parent::__get($property);
+		}
+	}
+}
+
+$b = new B();
+$b->settings = [ "foo" => "bar", "name" => "abc" ];
+var_dump($b->name);
+var_dump($b->settings);
+?>
+--EXPECTF--
+Warning: Creating default object from empty value in %sbug75573.php on line %d
+
+Notice: Only variable references should be returned by reference in %sbug75573.php on line %d
+string(3) "abc"
+array(2) {
+  ["foo"]=>
+  string(3) "bar"
+  ["name"]=>
+  string(3) "abc"
+}
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -668,13 +668,11 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 			}
 			zval_ptr_dtor(&tmp_object);
 			goto exit;
-		} else {
+		} else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
 			zval_ptr_dtor(&tmp_object);
-			if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
-				zend_throw_error(NULL, "Cannot access property started with '\\0'");
-				retval = &EG(uninitialized_zval);
-				goto exit;
-			}
+			zend_throw_error(NULL, "Cannot access property started with '\\0'");
+			retval = &EG(uninitialized_zval);
+			goto exit;
 		}
 	}