Fixed bug #31098 (isset false positive)

Author: dstogov

Zend/tests/bug31098.phpt

@@ -14,12 +14,44 @@ $a = 'a';
 var_dump(isset($a{'b'}));
 $a = '0';
 var_dump(isset($a{'b'}));
+
+$simpleString = "Bogus String Text";
+echo isset($simpleString->wrong)?"bug\n":"ok\n";
+echo isset($simpleString["wrong"])?"bug\n":"ok\n";
+echo isset($simpleString[-1])?"bug\n":"ok\n";
+echo isset($simpleString[0])?"ok\n":"bug\n";
+echo isset($simpleString["0"])?"ok\n":"bug\n";
+echo isset($simpleString["16"])?"ok\n":"bug\n";
+echo isset($simpleString["17"])?"bug\n":"ok\n";
+echo isset($simpleString["wrong"][0])?"bug\n":"ok\n";
+echo $simpleString->wrong === null?"ok\n":"bug\n";
+echo $simpleString["wrong"] === null?"ok\n":"bug\n";
+echo $simpleString["0"] === "B"?"ok\n":"bug\n";
+$simpleString["wrong"] = "f";
+echo $simpleString["0"] === "B"?"ok\n":"bug\n";
 ?>
 --EXPECTF--
 bool(false)
 bool(false)
 bool(false)
 bool(false)
-bool(true)
-bool(true)
+bool(false)
+bool(false)
+ok
+ok
+ok
+ok
+ok
+ok
+ok
+ok
+
+Notice: Trying to get property of non-object in %sbug31098.php on line %d
+ok
+
+Notice: Trying to get string index from a string in %sbug31098.php on line %d
+ok
+ok
 
+Notice: Trying to get string index from a string in %sbug31098.php on line %d
+ok

Zend/zend_execute.c

@@ -1190,7 +1190,28 @@ static void zend_fetch_dimension_address(temp_variable *result, zval **container
 					zend_error_noreturn(E_ERROR, "[] operator not supported for strings");
 				}
 
-				if (dim->type != IS_LONG) {
+				if (Z_TYPE_P(dim) == IS_STRING) {
+					char *strval;
+					long  lval;
+
+					strval = Z_STRVAL_P(dim);
+					if (is_numeric_string(strval, Z_STRLEN_P(dim), &lval, NULL, 0) == IS_LONG) {
+					  ZVAL_LONG(&tmp, lval);
+						dim = &tmp;
+					} else {
+						if (type != BP_VAR_IS && type != BP_VAR_UNSET) {
+							zend_error(E_NOTICE, "Trying to get string index from a string");
+						}
+						if (result) {
+							result->var.ptr_ptr = &EG(error_zval_ptr);
+							PZVAL_LOCK(*result->var.ptr_ptr);
+							if (type == BP_VAR_R || type == BP_VAR_IS) {
+								AI_USE_PTR(result->var);
+							}
+						}
+						return;
+					}
+				} else if (dim->type != IS_LONG) {
 					tmp = *dim;
 					zval_copy_ctor(&tmp);
 					convert_to_long(&tmp);

Zend/zend_vm_def.h

@@ -3190,26 +3190,37 @@ ZEND_VM_HELPER_EX(zend_isset_isempty_dim_prop_obj_handler, VAR|UNUSED|CV, CONST|
 			} else {
 				result = Z_OBJ_HT_P(*container)->has_dimension(*container, offset, (opline->extended_value == ZEND_ISEMPTY) TSRMLS_CC);
 			}
-		} else if ((*container)->type == IS_STRING) { /* string offsets */
-			zval tmp_offset;
-
-			if (Z_TYPE_P(offset) != IS_LONG) {
-				tmp_offset = *offset;
-				zval_copy_ctor(&tmp_offset);
-				convert_to_long(&tmp_offset);
-				offset = &tmp_offset;
+		} else if ((*container)->type == IS_STRING && !prop_dim) { /* string offsets */
+			zval tmp;
+
+			if (Z_TYPE_P(offset) == IS_STRING) {
+				char *strval;
+				long  lval;
+
+				strval = Z_STRVAL_P(offset);
+				if (is_numeric_string(strval, Z_STRLEN_P(offset), &lval, NULL, 0) == IS_LONG) {
+					ZVAL_LONG(&tmp, lval);
+					offset = &tmp;
+				}
+			} else if (offset->type != IS_LONG) {
+				tmp = *offset;
+				zval_copy_ctor(&tmp);
+				convert_to_long(&tmp);
+				offset = &tmp;
 			}
-			switch (opline->extended_value) {
-				case ZEND_ISSET:
-					if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) {
-						result = 1;
-					}
-					break;
-				case ZEND_ISEMPTY:
-					if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') {
-						result = 1;
-					}
-					break;
+			if (offset->type == IS_LONG) {
+				switch (opline->extended_value) {
+					case ZEND_ISSET:
+						if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container)) {
+							result = 1;
+						}
+						break;
+					case ZEND_ISEMPTY:
+						if (offset->value.lval >= 0 && offset->value.lval < Z_STRLEN_PP(container) && Z_STRVAL_PP(container)[offset->value.lval] != '0') {
+							result = 1;
+						}
+						break;
+				}
 			}
 		}
 	}