Fixed bug #76534 (PHP hangs on 'illegal string offset on string references with an error handler)

Author: laruence

NEWS

@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? ????, PHP 7.1.20
 
 - Core:
+  . Fixed bug #76534 (PHP hangs on 'illegal string offset on string references
+    with an error handler). (Laruence)
   . Fixed bug #76502 (Chain of mixed exceptions and errors does not serialize
     properly). (Nikita)
 

Zend/tests/bug76534.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #76534 (PHP hangs on 'illegal string offset on string references with an error handler)
+--FILE--
+<?php
+set_error_handler(function ($severity, $message, $file, $line) {
+	throw new \Exception($message);
+});
+
+$x = "foo";
+$y = &$x["bar"];
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Illegal string offset 'bar' in %sbug76534.php:%d
+Stack trace:
+#0 %sbug76534.php(%d): {closure}(2, 'Illegal string ...', '%s', %d, Array)
+#1 {main}
+  thrown in %sbug76534.php on line %d

Zend/zend_execute.c

@@ -1700,7 +1700,9 @@ static zend_always_inline void zend_fetch_dimension_address(zval *result, zval *
 			zend_throw_error(NULL, "[] operator not supported for strings");
 		} else {
 			zend_check_string_offset(dim, type);
-			zend_wrong_string_offset();
+			if (EXPECTED(EG(exception) == NULL)) {
+				zend_wrong_string_offset();
+			}
 		}
 		ZVAL_ERROR(result);
 	} else if (EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {

Zend/zend_vm_def.h

@@ -891,7 +891,9 @@ ZEND_VM_C_LABEL(assign_dim_op_convert_to_array):
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				ZEND_VM_C_GOTO(assign_dim_op_convert_to_array);

Zend/zend_vm_execute.h

@@ -17596,7 +17596,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;
@@ -21014,7 +21016,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;
@@ -22385,7 +22389,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;
@@ -25330,7 +25336,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;
@@ -37055,7 +37063,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;
@@ -41665,7 +41675,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;
@@ -44149,7 +44161,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;
@@ -48220,7 +48234,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
 					zend_throw_error(NULL, "[] operator not supported for strings");
 				} else {
 					zend_check_string_offset(dim, BP_VAR_RW);
-					zend_wrong_string_offset();
+					if (EXPECTED(EG(exception) == NULL)) {
+						zend_wrong_string_offset();
+					}
 				}
 			} else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) {
 				goto assign_dim_op_convert_to_array;