Fixed bug #77844

We should probably return an integer result from the operation in
typed mode, right now the result is always a string.

NEWS

@@ -30,6 +30,8 @@ PHP                                                                        NEWS
 - Standard:
   . Fixed bug #77680 (recursive mkdir on ftp stream wrapper is incorrect).
     (Vlad Temian)
+  . Fixed bug #77844 (Crash due to null pointer in parse_ini_string with
+    INI_SCANNER_TYPED). (Nikita)
 
 04 Apr 2019, PHP 7.2.17
 

Zend/zend_ini_parser.y

@@ -48,6 +48,22 @@ int ini_parse(void);
 
 #define ZEND_SYSTEM_INI CG(ini_parser_unbuffered_errors)
 
+static int get_int_val(zval *op) {
+	switch (Z_TYPE_P(op)) {
+		case IS_LONG:
+			return Z_LVAL_P(op);
+		case IS_DOUBLE:
+			return (int)Z_DVAL_P(op);
+		case IS_STRING:
+		{
+			int val = atoi(Z_STRVAL_P(op));
+			zend_string_free(Z_STR_P(op));
+			return val;
+		}
+		EMPTY_SWITCH_DEFAULT_CASE()
+	}
+}
+
 /* {{{ zend_ini_do_op()
 */
 static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
@@ -57,22 +73,8 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
 	int str_len;
 	char str_result[MAX_LENGTH_OF_LONG+1];
 
-	if (IS_LONG == Z_TYPE_P(op1)) {
-		i_op1 = Z_LVAL_P(op1);
-	} else {
-		i_op1 = atoi(Z_STRVAL_P(op1));
-		zend_string_free(Z_STR_P(op1));
-	}
-	if (op2) {
-		if (IS_LONG == Z_TYPE_P(op2)) {
-			i_op2 = Z_LVAL_P(op2);
-		} else {
-			i_op2 = atoi(Z_STRVAL_P(op2));
-			zend_string_free(Z_STR_P(op2));
-		}
-	} else {
-		i_op2 = 0;
-	}
+	i_op1 = get_int_val(op1);
+	i_op2 = op2 ? get_int_val(op2) : 0;
 
 	switch (type) {
 		case '|':

ext/standard/tests/general_functions/bug77844.phpt

@@ -0,0 +1,19 @@
+--TEST--
+Bug #77844: Crash due to null pointer in parse_ini_string with INI_SCANNER_TYPED
+--FILE--
+<?php
+
+$ini = <<<INI
+val1=3.7&2
+val2=2&3.7
+INI;
+var_dump(parse_ini_string($ini, true, INI_SCANNER_TYPED));
+
+?>
+--EXPECT--
+array(2) {
+  ["val1"]=>
+  string(1) "2"
+  ["val2"]=>
+  string(1) "2"
+}