Saner numeric string handling for string offsets

Author: Girgias

Zend/tests/bug24773.phpt

@@ -6,7 +6,7 @@ Bug #24773 (unset() of integers treated as arrays causes a crash)
     unset($array["lvl1"]["lvl2"]["b"]);
 ?>
 --EXPECTF--
-Fatal error: Uncaught Error: Cannot use string offset as an array in %s:%d
+Fatal error: Uncaught TypeError: Illegal offset type in %s:%d
 Stack trace:
 #0 {main}
   thrown in %s on line %d

Zend/tests/bug31098.phpt

@@ -17,16 +17,28 @@ var_dump(isset($a['b']));
 
 $simpleString = "Bogus String Text";
 echo isset($simpleString->wrong)?"bug\n":"ok\n";
-echo isset($simpleString["wrong"])?"bug\n":"ok\n";
+try {
+    echo isset($simpleString["wrong"])?"bug\n":"ok\n";
+} catch (\TypeError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
 echo isset($simpleString[-20])?"bug\n":"ok\n";
 echo isset($simpleString[0])?"ok\n":"bug\n";
 echo isset($simpleString["0"])?"ok\n":"bug\n";
 echo isset($simpleString["16"])?"ok\n":"bug\n";
 echo isset($simpleString["17"])?"bug\n":"ok\n";
 echo $simpleString->wrong === null?"ok\n":"bug\n";
-echo $simpleString["wrong"] === "B"?"ok\n":"bug\n";
+try {
+    echo $simpleString["wrong"] === "B"?"ok\n":"bug\n";
+} catch (\TypeError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
 echo $simpleString["0"] === "B"?"ok\n":"bug\n";
-$simpleString["wrong"] = "f";
+try {
+    $simpleString["wrong"] = "f";
+} catch (\TypeError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
 echo $simpleString["0"] === "f"?"ok\n":"bug\n";
 ?>
 --EXPECTF--
@@ -46,10 +58,7 @@ ok
 
 Warning: Attempt to read property "wrong" on string in %s on line %d
 ok
-
-Warning: Illegal string offset "wrong" in %s on line %d
-ok
+Illegal offset type
 ok
-
-Warning: Illegal string offset "wrong" in %s on line %d
+Illegal offset type
 ok

Zend/tests/bug53432.phpt

@@ -16,7 +16,11 @@ var_dump($str[-1] = 'a');
 var_dump($str);
 
 $str = '';
-var_dump($str['foo'] = 'a');
+try {
+    var_dump($str['foo'] = 'a');
+} catch (\TypeError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
 var_dump($str);
 
 $str = '';
@@ -53,9 +57,7 @@ string(6) "     a"
 Warning: Illegal string offset -1 in %s on line %d
 NULL
 string(0) ""
-
-Warning: Illegal string offset "foo" in %s on line %d
-string(1) "a"
+Illegal offset type
 string(1) "a"
 Error: [] operator not supported for strings
 string(0) ""

Zend/tests/bug64578.phpt

@@ -5,10 +5,10 @@ Bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
 
 set_error_handler(function($no, $err) { var_dump($err); });
 
-function x($s) { $s['a'] = 1; };
+function x($s) { $s['2a'] = 1; };
 $y = '1';
 x($y);
 print_r($y);
 --EXPECT--
-string(25) "Illegal string offset "a""
+string(26) "Illegal string offset "2a""
 1

Zend/tests/bug73792.phpt

@@ -4,15 +4,15 @@ Bug #73792 (invalid foreach loop hangs script)
 <?php
 $a = 'aaa';
 
-foreach ($a['bbb'] as &$value) {
+foreach ($a['2bbb'] as &$value) {
     echo 'loop';
 }
 
 unset($value);
 echo 'done';
 ?>
 --EXPECTF--
-Warning: Illegal string offset "bbb" in %s on line %d
+Warning: Illegal string offset "2bbb" in %s on line %d
 
 Fatal error: Uncaught Error: Cannot iterate on string offsets by reference in %sbug73792.php:4
 Stack trace:

Zend/tests/bug76534.phpt

@@ -7,10 +7,10 @@ set_error_handler(function ($severity, $message, $file, $line) {
 });
 
 $x = "foo";
-$y = &$x["bar"];
+$y = &$x["2bar"];
 ?>
 --EXPECTF--
-Fatal error: Uncaught Exception: Illegal string offset "bar" in %s:%d
+Fatal error: Uncaught Exception: Illegal string offset "2bar" in %s:%d
 Stack trace:
 #0 %sbug76534.php(%d): {closure}(2, 'Illegal string ...', '%s', %d)
 #1 {main}

Zend/tests/const_dereference_002.phpt

@@ -6,12 +6,12 @@ error_reporting(E_ALL);
 
 var_dump("foobar"[3]);
 var_dump("foobar"[2][0]);
-var_dump("foobar"["foo"]["bar"]);
+var_dump("foobar"["0foo"]["0bar"]);
 --EXPECTF--
 string(1) "b"
 string(1) "o"
 
-Warning: Illegal string offset "foo" in %s on line %d
+Warning: Illegal string offset "0foo" in %s on line %d
 
-Warning: Illegal string offset "bar" in %s on line %d
+Warning: Illegal string offset "0bar" in %s on line %d
 string(1) "f"

Zend/tests/indexing_001.phpt

@@ -75,19 +75,13 @@ array(1) {
   }
 }
 
-Warning: Illegal string offset "foo" in %s on line %d
-
 Warning: Array to string conversion in %s on line %d
-
-Warning: Only the first byte will be assigned to the string offset in %s on line %d
-string(1) "A"
-
-Warning: Illegal string offset "foo" in %s on line %d
+Illegal offset type
+string(0) ""
 
 Warning: Array to string conversion in %s on line %d
-
-Warning: Only the first byte will be assigned to the string offset in %s on line %d
-string(1) "A"
+Illegal offset type
+string(1) " "
 Cannot use a scalar value as an array
 float(0.1)
 array(1) {

Zend/tests/offset_assign.phpt

@@ -1,14 +1,14 @@
 --TEST--
-Crash on $x['x']['y'] += 1 when $x is string
+Crash on $x['2x']['y'] += 1 when $x is string
 --FILE--
 <?php
 $x = "a";
-$x['x']['y'] += 1;
+$x['2x']['y'] += 1;
 
 echo "Done\n";
 ?>
 --EXPECTF--
-Warning: Illegal string offset "x" in %s on line %d
+Warning: Illegal string offset "2x" in %s on line %d
 
 Fatal error: Uncaught Error: Cannot use string offset as an array in %soffset_assign.php:%d
 Stack trace:

Zend/tests/offset_string.phpt

@@ -8,7 +8,11 @@ $str = "Sitting on a corner all alone, staring from the bottom of his soul";
 var_dump($str[1]);
 var_dump($str[0.0836]);
 var_dump($str[NULL]);
-var_dump($str["run away"]);
+try {
+    var_dump($str["run away"]);
+} catch (\TypeError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
 var_dump($str["13"]);
 var_dump($str["14.5"]);
 var_dump($str["15 and then some"]);
@@ -47,9 +51,7 @@ string(1) "S"
 
 Warning: String offset cast occurred in %s on line %d
 string(1) "S"
-
-Warning: Illegal string offset "run away" in %s on line %d
-string(1) "S"
+Illegal offset type
 string(1) "c"
 
 Warning: Illegal string offset "14.5" in %s on line %d

Zend/zend_execute.c

@@ -1328,13 +1328,24 @@ static zend_never_inline zend_long zend_check_string_offset(zval *dim, int type
 	if (UNEXPECTED(Z_TYPE_P(dim) != IS_LONG)) {
 		switch(Z_TYPE_P(dim)) {
 			case IS_STRING:
-				if (IS_LONG == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)) {
-					break;
+			{
+				/* allow errors in string offset for BC reasons */
+				zend_uchar numeric_string_type = is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), &offset, NULL, true);
+				if (IS_LONG == numeric_string_type) {
+					/* emit Illegal string warning on leading numerical string */
+					if (0 == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)
+							&& type != BP_VAR_UNSET) {
+						zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+					}
+					return offset;
 				}
-				if (type != BP_VAR_UNSET) {
+				if (IS_DOUBLE == numeric_string_type) {
 					zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+					break;
 				}
+				zend_illegal_offset();
 				break;
+			}
 			case IS_UNDEF:
 				ZVAL_UNDEFINED_OP2();
 			case IS_DOUBLE:
@@ -2313,17 +2324,28 @@ static zend_always_inline void zend_fetch_dimension_address_read(zval *result, z
 try_string_offset:
 		if (UNEXPECTED(Z_TYPE_P(dim) != IS_LONG)) {
 			switch (Z_TYPE_P(dim)) {
-				/* case IS_LONG: */
 				case IS_STRING:
-					if (IS_LONG == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)) {
+				{
+					/* allow errors in string offset for BC reasons */
+					zend_uchar numeric_string_type = is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), &offset, NULL, true);
+					if (IS_LONG == numeric_string_type) {
+						/* emit Illegal string warning on leading numerical string */
+						if (0 == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)) {
+							zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+						}
+						goto out;
+					}
+					if (IS_DOUBLE == numeric_string_type) {
+						zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
 						break;
 					}
 					if (type == BP_VAR_IS) {
 						ZVAL_NULL(result);
 						return;
 					}
-					zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+					zend_illegal_offset();
 					break;
+				}
 				case IS_UNDEF:
 					ZVAL_UNDEFINED_OP2();
 				case IS_DOUBLE:
@@ -2346,6 +2368,7 @@ static zend_always_inline void zend_fetch_dimension_address_read(zval *result, z
 		} else {
 			offset = Z_LVAL_P(dim);
 		}
+		out:
 
 		if (UNEXPECTED(Z_STRLEN_P(container) < ((offset < 0) ? -(size_t)offset : ((size_t)offset + 1)))) {
 			if (type != BP_VAR_IS) {

ext/opcache/jit/zend_jit_helpers.c

@@ -677,13 +677,24 @@ static void ZEND_FASTCALL zend_jit_fetch_dim_str_r_helper(zval *container, zval
 try_string_offset:
 	if (UNEXPECTED(Z_TYPE_P(dim) != IS_LONG)) {
 		switch (Z_TYPE_P(dim)) {
-			/* case IS_LONG: */
 			case IS_STRING:
-				if (IS_LONG == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)) {
+			{
+				/* allow errors in string offset for BC reasons */
+				zend_uchar numeric_string_type = is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), &offset, NULL, true);
+				if (IS_LONG == numeric_string_type) {
+					/* emit Illegal string warning on leading numerical string */
+					if (0 == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)) {
+						zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+					}
+					goto out;
+				}
+				if (IS_DOUBLE == numeric_string_type) {
+					zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
 					break;
 				}
-				zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+				zend_type_error("Illegal offset type");
 				break;
+			}
 			case IS_UNDEF:
 				zend_jit_undefined_op_helper(EG(current_execute_data)->opline->op2.var);
 			case IS_DOUBLE:
@@ -704,6 +715,7 @@ static void ZEND_FASTCALL zend_jit_fetch_dim_str_r_helper(zval *container, zval
 	} else {
 		offset = Z_LVAL_P(dim);
 	}
+	out:
 
 	if (UNEXPECTED(Z_STRLEN_P(container) < ((offset < 0) ? -(size_t)offset : ((size_t)offset + 1)))) {
 		zend_error(E_WARNING, "Uninitialized string offset " ZEND_LONG_FMT, offset);
@@ -824,13 +836,24 @@ static zend_never_inline zend_long zend_check_string_offset(zval *dim, int type)
 	if (UNEXPECTED(Z_TYPE_P(dim) != IS_LONG)) {
 		switch(Z_TYPE_P(dim)) {
 			case IS_STRING:
-				if (IS_LONG == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)) {
-					break;
+			{
+				/* allow errors in string offset for BC reasons */
+				zend_uchar numeric_string_type = is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), &offset, NULL, true);
+				if (IS_LONG == numeric_string_type) {
+					/* emit Illegal string warning on leading numerical string */
+					if (0 == is_numeric_string(Z_STRVAL_P(dim), Z_STRLEN_P(dim), NULL, NULL, false)
+							&& type != BP_VAR_UNSET) {
+						zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+					}
+					return offset;
 				}
-				if (type != BP_VAR_UNSET) {
+				if (IS_DOUBLE == numeric_string_type) {
 					zend_error(E_WARNING, "Illegal string offset \"%s\"", Z_STRVAL_P(dim));
+					break;
 				}
+				zend_type_error("Illegal offset type");
 				break;
+			}
 			case IS_UNDEF:
 				zend_jit_undefined_op_helper(EG(current_execute_data)->opline->op2.var);
 			case IS_DOUBLE:

ext/opcache/tests/jit/fetch_dim_r_003.phpt

@@ -20,10 +20,18 @@ function foo() {
     var_dump($a[false]);
     var_dump($a[true]);
     var_dump($a[null]);
-    var_dump($a["ab"]);
+    try {
+        var_dump($a["ab"]);
+    } catch (\TypeError $e) {
+        echo $e->getMessage() . \PHP_EOL;
+    }
     $x = "a";
     $y = "b";
-    var_dump($a[$x . $y]);
+    try {
+        var_dump($a[$x . $y]);
+    } catch (\TypeError $e) {
+        echo $e->getMessage() . \PHP_EOL;
+    }
     var_dump($a["2x"]);
     $x = "2";
     $y = "x";
@@ -47,15 +55,11 @@ string(1) "B"
 
 Warning: String offset cast occurred in %s on line %d
 string(1) "A"
+Illegal offset type
+Illegal offset type
 
-Warning: Illegal string offset "ab" in %sfetch_dim_r_003.php on line 12
-string(1) "A"
-
-Warning: Illegal string offset "ab" in %sfetch_dim_r_003.php on line 15
-string(1) "A"
-
-Warning: Illegal string offset "2x" in %sfetch_dim_r_003.php on line 16
+Warning: Illegal string offset "2x" in %sfetch_dim_r_003.php on line 24
 string(1) "C"
 
-Warning: Illegal string offset "2x" in %sfetch_dim_r_003.php on line 19
+Warning: Illegal string offset "2x" in %sfetch_dim_r_003.php on line 27
 string(1) "C"