Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)

laruence · laruence · commit e8f004d54252 · 2013-06-09T13:20:40.000+08:00
diff --git a/NEWS b/NEWS
@@ -1,7 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2013, PHP 5.3.27
+
 - Core:
+  . Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC). (Laruence)
   . Fixed bug #64960 (Segfault in gc_zval_possible_root). (Laruence)
   . Fixed bug #64934 (Apache2 TS crash with get_browser()). (Anatol)
 
diff --git a/Zend/tests/bug64966.phpt b/Zend/tests/bug64966.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
+--FILE--
+<?php
+error_reporting(E_ALL);
+set_error_handler(function($error) { throw new Exception(); }, E_RECOVERABLE_ERROR);
+
+function test($func) {
+	$a = $func("");
+	return true;
+}
+class A {
+	public function b() {
+		test("strlen");
+		test("iterator_apply");
+	}
+}
+
+$a = new A();
+$a->b();
+?>
+--EXPECTF--
+Fatal error: Uncaught exception 'Exception' in %sbug64966.php:3
+Stack trace:
+#0 [internal function]: {closure}(4096, 'Argument 1 pass...', '/home/huixinche...', 6, Array)
+#1 %sbug64966.php(6): iterator_apply('')
+#2 %sbug64966.php(12): test('iterator_apply')
+#3 %sbug64966.php(17): A->b()
+#4 {main}
+  thrown in %sbug64966.php on line 3
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -2327,6 +2327,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 			if (!RETURN_VALUE_USED(opline)) {
 				zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 			}
+		} else if (RETURN_VALUE_USED(opline)) {
+			EX_T(opline->result.u.var).var.ptr = NULL;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		EX(original_return_value) = EG(return_value_ptr_ptr);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -327,6 +327,8 @@ static int ZEND_FASTCALL zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_AR
 			if (!RETURN_VALUE_USED(opline)) {
 				zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 			}
+		} else if (RETURN_VALUE_USED(opline)) {
+			EX_T(opline->result.u.var).var.ptr = NULL;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		EX(original_return_value) = EG(return_value_ptr_ptr);

Original file line number	Diff line number	Diff line change
`@@ -2327,6 +2327,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)`
`2327`	`2327`	`if (!RETURN_VALUE_USED(opline)) {`
`2328`	`2328`	`zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);`
`2329`	`2329`	`}`
	`2330`	`+ } else if (RETURN_VALUE_USED(opline)) {`
	`2331`	`+ EX_T(opline->result.u.var).var.ptr = NULL;`
`2330`	`2332`	`}`
`2331`	`2333`	`} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {`
`2332`	`2334`	`EX(original_return_value) = EG(return_value_ptr_ptr);`
Original file line number	Diff line number	Diff line change
`@@ -327,6 +327,8 @@ static int ZEND_FASTCALL zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_AR`
`327`	`327`	`if (!RETURN_VALUE_USED(opline)) {`
`328`	`328`	`zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);`
`329`	`329`	`}`
	`330`	`+ } else if (RETURN_VALUE_USED(opline)) {`
	`331`	`+ EX_T(opline->result.u.var).var.ptr = NULL;`
`330`	`332`	`}`
`331`	`333`	`} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {`
`332`	`334`	`EX(original_return_value) = EG(return_value_ptr_ptr);`