Disallowed JMP into a finally block.

Author: laruence

NEWS

@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.5.8
 
 - Core:
+  . Disallowed JMP into a finally block. (Laruence)
   . Added validation of class names in the autoload process. (Dmitry)
   . Fixed invalid C code in zend_strtod.c. (Lior Kaplan)
   . Fixed bug #66041 (list() fails to unpack yielded ArrayAccess object).

Zend/zend_opcode.c

@@ -489,17 +489,22 @@ static void zend_check_finally_breakout(zend_op_array *op_array, zend_uint op_nu
 	zend_uint i;
 
 	for (i = 0; i < op_array->last_try_catch; i++) {
-		if (op_array->try_catch_array[i].try_op > op_num) {
-			break;
-		}
-		if ((op_num >= op_array->try_catch_array[i].finally_op 
+		if ((op_num < op_array->try_catch_array[i].finally_op ||
+					op_num >= op_array->try_catch_array[i].finally_end)
+				&& (dst_num >= op_array->try_catch_array[i].finally_op &&
+					 dst_num <= op_array->try_catch_array[i].finally_end)) {
+			CG(in_compilation) = 1;
+			CG(active_op_array) = op_array;
+			CG(zend_lineno) = op_array->opcodes[op_num].lineno;
+			zend_error(E_COMPILE_ERROR, "jump into a finally block is disallowed");
+		} else if ((op_num >= op_array->try_catch_array[i].finally_op 
 					&& op_num <= op_array->try_catch_array[i].finally_end)
 				&& (dst_num > op_array->try_catch_array[i].finally_end 
 					|| dst_num < op_array->try_catch_array[i].finally_op)) {
 			CG(in_compilation) = 1;
 			CG(active_op_array) = op_array;
 			CG(zend_lineno) = op_array->opcodes[op_num].lineno;
-			zend_error(E_COMPILE_ERROR, "jump out of a finally block is disallowed");
+			zend_error_noreturn(E_COMPILE_ERROR, "jump out of a finally block is disallowed");
 		}
 	} 
 }