Fix Bug #80972: Memory exhaustion on invalid string offset

Author: Girgias

Zend/tests/bug80972.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Bug #80972: Memory exhaustion on invalid string offset
+--FILE--
+<?php
+
+$float = 10e120;
+$string_float = (string) $float;
+
+$string = 'Here is some text for good measure';
+
+try {
+    echo 'Float casted to string compile', \PHP_EOL;
+    $string[(string) 10e120] = 'E';
+    var_dump($string);
+} catch (\TypeError $e) {
+    echo $e->getMessage(), \PHP_EOL;
+}
+
+?>
+--EXPECT--
+Float casted to string compile
+Cannot access offset of type string on string

Zend/zend_execute.c

@@ -1525,6 +1525,14 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
 	zend_long offset;
 
 	offset = zend_check_string_offset(dim, BP_VAR_W EXECUTE_DATA_CC);
+	/* Illegal offset assignment */
+	if (UNEXPECTED(EG(exception) != NULL)) {
+		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+			ZVAL_UNDEF(EX_VAR(opline->result.var));
+		}
+		return;
+	}
+
 	if (offset < -(zend_long)Z_STRLEN_P(str)) {
 		/* Error on negative offset */
 		zend_error(E_WARNING, "Illegal string offset " ZEND_LONG_FMT, offset);