Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)

laruence · laruence · commit 3b9ba7b6bd9e · 2017-11-29T14:46:21.000+08:00
diff --git a/NEWS b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2017, PHP 7.1.13
 
 - Core:
+  . Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26). (Laruence)
   . Fixed bug #75384 (PHP seems incompatible with OneDrive files on demand).
     (Anatol)
   . Fixed bug #74862 (Unable to clone instance when private __clone defined).
diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt
@@ -0,0 +1,64 @@
+--TEST--
+Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
+--FILE--
+<?php
+
+class A
+{
+	var $_stdObject;
+	function initialize($properties = FALSE) {
+		$this->_stdObject = $properties ? (object) $properties : new stdClass();
+		parent::initialize();
+	}
+	function &__get($property)
+	{
+		if (isset($this->_stdObject->{$property})) {
+			$retval =& $this->_stdObject->{$property};
+			return $retval;
+		} else {
+			return NULL;
+		}
+	}
+	function &__set($property, $value)
+	{
+		return $this->_stdObject->{$property} = $value;
+	}
+	function __isset($property_name)
+	{
+		return isset($this->_stdObject->{$property_name});
+	}
+}
+
+class B extends A
+{
+	function initialize($properties = array())
+	{
+		parent::initialize($properties);
+	}
+	function &__get($property)
+	{
+		if (isset($this->settings) && isset($this->settings[$property])) {
+			$retval =& $this->settings[$property];
+			return $retval;
+		} else {
+			return parent::__get($property);
+		}
+	}
+}
+
+$b = new B();
+$b->settings = [ "foo" => "bar", "name" => "abc" ];
+var_dump($b->name);
+var_dump($b->settings);
+?>
+--EXPECTF--
+Warning: Creating default object from empty value in %sbug75573.php on line %d
+
+Notice: Only variable references should be returned by reference in %sbug75573.php on line %d
+string(3) "abc"
+array(2) {
+  ["foo"]=>
+  string(3) "bar"
+  ["name"]=>
+  string(3) "abc"
+}
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -668,13 +668,11 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 			}
 			zval_ptr_dtor(&tmp_object);
 			goto exit;
-		} else {
+		} else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
 			zval_ptr_dtor(&tmp_object);
-			if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
-				zend_throw_error(NULL, "Cannot access property started with '\\0'");
-				retval = &EG(uninitialized_zval);
-				goto exit;
-			}
+			zend_throw_error(NULL, "Cannot access property started with '\\0'");
+			retval = &EG(uninitialized_zval);
+			goto exit;
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -668,13 +668,11 @@ zval zend_std_read_property(zval object, zval member, int type, void *cache_`
`668`	`668`	`}`
`669`	`669`	`zval_ptr_dtor(&tmp_object);`
`670`	`670`	`goto exit;`
`671`		`- } else {`
	`671`	`+ } else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {`
`672`	`672`	`zval_ptr_dtor(&tmp_object);`
`673`		`- if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {`
`674`		`- zend_throw_error(NULL, "Cannot access property started with '\\0'");`
`675`		`- retval = &EG(uninitialized_zval);`
`676`		`- goto exit;`
`677`		`- }`
	`673`	`+ zend_throw_error(NULL, "Cannot access property started with '\\0'");`
	`674`	`+ retval = &EG(uninitialized_zval);`
	`675`	`+ goto exit;`
`678`	`676`	`}`
`679`	`677`	`}`
`680`	`678`