Fix use after free for variables with integer names

nikic · nikic · commit 69a4b135f321 · 2015-01-04T17:57:23.000+01:00
diff --git a/Zend/tests/variable_with_integer_name.phpt b/Zend/tests/variable_with_integer_name.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Variable with integer name
+--FILE--
+<?php
+
+${10} = 42;
+var_dump(${10});
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -1950,6 +1950,9 @@ static int zend_try_compile_cv(znode *result, zend_ast *ast) /* {{{ */
 		result->op_type = IS_CV;
 		result->u.op.var = lookup_cv(CG(active_op_array), name);
 
+		/* lookup_cv may be using another zend_string instance  */
+		name = CG(active_op_array)->vars[EX_VAR_TO_NUM(result->u.op.var)];
+
 		if (zend_string_equals_literal(name, "this")) {
 			CG(active_op_array)->this_var = result->u.op.var;
 		}

Original file line number	Diff line number	Diff line change
`@@ -1950,6 +1950,9 @@ static int zend_try_compile_cv(znode result, zend_ast ast) /* {{{ */`
`1950`	`1950`	`result->op_type = IS_CV;`
`1951`	`1951`	`result->u.op.var = lookup_cv(CG(active_op_array), name);`
`1952`	`1952`
	`1953`	`+ /* lookup_cv may be using another zend_string instance */`
	`1954`	`+ name = CG(active_op_array)->vars[EX_VAR_TO_NUM(result->u.op.var)];`
	`1955`	`+`
`1953`	`1956`	`if (zend_string_equals_literal(name, "this")) {`
`1954`	`1957`	`CG(active_op_array)->this_var = result->u.op.var;`
`1955`	`1958`	`}`