Skip to content

Commit d4dee4a

Browse files
laruenceweltling
laruence
authored and
weltling
committed
Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
(cherry picked from commit 3b9ba7b)
1 parent d6d4f2a commit d4dee4a

File tree

2 files changed

+65
-1
lines changed

2 files changed

+65
-1
lines changed

Zend/tests/bug75573.phpt

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
--TEST--
2+
Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
3+
--FILE--
4+
<?php
5+
6+
class A
7+
{
8+
var $_stdObject;
9+
function initialize($properties = FALSE) {
10+
$this->_stdObject = $properties ? (object) $properties : new stdClass();
11+
parent::initialize();
12+
}
13+
function &__get($property)
14+
{
15+
if (isset($this->_stdObject->{$property})) {
16+
$retval =& $this->_stdObject->{$property};
17+
return $retval;
18+
} else {
19+
return NULL;
20+
}
21+
}
22+
function &__set($property, $value)
23+
{
24+
return $this->_stdObject->{$property} = $value;
25+
}
26+
function __isset($property_name)
27+
{
28+
return isset($this->_stdObject->{$property_name});
29+
}
30+
}
31+
32+
class B extends A
33+
{
34+
function initialize($properties = array())
35+
{
36+
parent::initialize($properties);
37+
}
38+
function &__get($property)
39+
{
40+
if (isset($this->settings) && isset($this->settings[$property])) {
41+
$retval =& $this->settings[$property];
42+
return $retval;
43+
} else {
44+
return parent::__get($property);
45+
}
46+
}
47+
}
48+
49+
$b = new B();
50+
$b->settings = [ "foo" => "bar", "name" => "abc" ];
51+
var_dump($b->name);
52+
var_dump($b->settings);
53+
?>
54+
--EXPECTF--
55+
Warning: Creating default object from empty value in %sbug75573.php on line %d
56+
57+
Notice: Only variable references should be returned by reference in %sbug75573.php on line %d
58+
string(3) "abc"
59+
array(2) {
60+
["foo"]=>
61+
string(3) "bar"
62+
["name"]=>
63+
string(3) "abc"
64+
}

Zend/zend_object_handlers.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -602,13 +602,13 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
602602
zval_ptr_dtor(&tmp_object);
603603
goto exit;
604604
} else {
605-
zval_ptr_dtor(&tmp_object);
606605
if (Z_STRVAL_P(member)[0] == '\0') {
607606
if (Z_STRLEN_P(member) == 0) {
608607
zend_throw_error(NULL, "Cannot access empty property");
609608
retval = &EG(uninitialized_zval);
610609
goto exit;
611610
} else {
611+
zval_ptr_dtor(&tmp_object);
612612
zend_throw_error(NULL, "Cannot access property started with '\\0'");
613613
retval = &EG(uninitialized_zval);
614614
goto exit;

0 commit comments

Comments
 (0)