Fixed bug #79783

nikic · nikic · commit 971e5c5186a2 · 2020-07-07T09:56:14.000+02:00
Make sure we don't drop the by-reference check when passing the
result of a VM builtin function.
diff --git a/NEWS b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #79740 (serialize() and unserialize() methods can not be called
     statically). (Nikita)
+  . Fixede bug #79783 (Segfault in php_str_replace_common). (Nikita)
 
 - Fileinfo:
   . Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)). (cmb)
diff --git a/Zend/tests/bug79783.phpt b/Zend/tests/bug79783.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #79783: Segfault in php_str_replace_common
+--FILE--
+<?php
+str_replace("a", "b", "c", strlen("d"));
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot pass parameter 4 by reference in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -3009,7 +3009,11 @@ uint32_t zend_compile_args(zend_ast *ast, zend_function *fbc) /* {{{ */
 				zend_compile_var(&arg_node, arg, BP_VAR_R, 0);
 				if (arg_node.op_type & (IS_CONST|IS_TMP_VAR)) {
 					/* Function call was converted into builtin instruction */
-					opcode = ZEND_SEND_VAL;
+					if (!fbc || ARG_MUST_BE_SENT_BY_REF(fbc, arg_num)) {
+						opcode = ZEND_SEND_VAL_EX;
+					} else {
+						opcode = ZEND_SEND_VAL;
+					}
 				} else {
 					if (fbc) {
 						if (ARG_MUST_BE_SENT_BY_REF(fbc, arg_num)) {
