Fixed bug #75420 (Crash when modifing property name in __isset for BP…

…_VAR_IS)
php · Oct 26, 2017 · d204750 · d204750
1 parent 578ba71
commit d204750
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2017 PHP 7.0.26
 
 - Core:
+  . Fixed bug #75420 (Crash when modifing property name in __isset for
+    BP_VAR_IS). (Laruence)
   . Fixed bug #75368 (mmap/munmap trashing on unlucky allocations). (Nikita,
     Dmitry)
 

diff --git a/Zend/tests/bug75420.phpt b/Zend/tests/bug75420.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #75420 (Crash when modifing property name in __isset for BP_VAR_IS)
+--FILE--
+<?php
+
+class Test {
+	public function __isset($x) { $GLOBALS["name"] = 24; return true; }
+public function __get($x) { var_dump($x); return 42; }
+}
+
+$obj = new Test;
+$name = "foo";
+var_dump($obj->$name ?? 12);
+?>
+--EXPECT--
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -510,6 +510,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 	zval tmp_member;
 	zval *retval;
 	uint32_t property_offset;
+	zend_long *guard = NULL;
 
 	zobj = Z_OBJ_P(object);
 
@@ -545,7 +546,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 	/* magic isset */
 	if ((type == BP_VAR_IS) && zobj->ce->__isset) {
 		zval tmp_object, tmp_result;
-		zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member));
+		guard = zend_get_property_guard(zobj, Z_STR_P(member));
 
 		if (!((*guard) & IN_ISSET)) {
 			ZVAL_COPY(&tmp_object, object);
@@ -569,7 +570,9 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 
 	/* magic get */
 	if (zobj->ce->__get) {
-		zend_long *guard = zend_get_property_guard(zobj, Z_STR_P(member));
+		if (guard == NULL) {
+			guard = zend_get_property_guard(zobj, Z_STR_P(member));
+		}
 		if (!((*guard) & IN_GET)) {
 			zval tmp_object;