Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:28292 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66055 invoked by uid 1010); 8 Mar 2007 02:46:19 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 66040 invoked from network); 8 Mar 2007 02:46:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Mar 2007 02:46:19 -0000 Authentication-Results: pb1.pair.com header.from=shire@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=shire@php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain php.net from 204.15.23.157 cause and error) X-PHP-List-Original-Sender: shire@php.net X-Host-Fingerprint: 204.15.23.157 www.sizzo.org Linux 2.6 Received: from [204.15.23.157] ([204.15.23.157:41339] helo=sizzo.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 03/BD-39663-9F87FE54 for ; Wed, 07 Mar 2007 21:46:19 -0500 Received: from [172.21.211.84] (outcorp001.sctm.tfbnw.net [204.15.20.244]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by sizzo.org (Postfix) with ESMTP id 62FB752574E for ; Wed, 7 Mar 2007 18:45:18 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-ID: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: PHP internals Date: Wed, 7 Mar 2007 18:45:48 -0800 X-Mailer: Apple Mail (2.752.3) Subject: [PATCH] segfault with string dimensions From: shire@php.net (Brian Shire) Let me know if I have any issues with my patch/thinking here: Reproduce code: The zend_binary_assign_op_helper_* function isn't checking that the value returned from _get_zval_ptr_ptr_var is set, so it faults instead of letting zend_fetch_dimension_address trigger the "Cannot use string offset as an array" error. patch: Index: Zend/zend_vm_def.h =================================================================== RCS file: /repository/ZendEngine2/zend_vm_def.h,v retrieving revision 1.59.2.29.2.39 diff -u -r1.59.2.29.2.39 zend_vm_def.h --- Zend/zend_vm_def.h 25 Feb 2007 16:02:43 -0000 1.59.2.29.2.39 +++ Zend/zend_vm_def.h 8 Mar 2007 02:39:02 -0000 @@ -408,11 +408,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = GET_OP1_OBJ_ZVAL_PTR_PTR(BP_VAR_W); - if (OP1_TYPE != IS_CV && !OP1_FREE) { + if (object_ptr && OP1_TYPE != IS_CV && !OP1_FREE) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { ZEND_VM_DISPATCH_TO_HELPER_EX(zend_binary_assign_op_obj_helper, binary_op, binary_op); } else { zend_op *op_data = opline+1; Index: Zend/zend_vm_execute.h =================================================================== RCS file: /repository/ZendEngine2/zend_vm_execute.h,v retrieving revision 1.62.2.30.2.39 diff -u -r1.62.2.30.2.39 zend_vm_execute.h --- Zend/zend_vm_execute.h 25 Feb 2007 16:02:43 -0000 1.62.2.30.2.39 +++ Zend/zend_vm_execute.h 8 Mar 2007 02:39:03 -0000 @@ -8583,11 +8583,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_CONST (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -10067,11 +10067,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_TMP(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -11555,11 +11555,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_VAR(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -12847,11 +12847,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_UNUSED (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -13516,11 +13516,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC); - if (IS_VAR != IS_CV && !(free_op1.var != NULL)) { + if (object_ptr && IS_VAR != IS_CV && !(free_op1.var != NULL)) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_VAR_CV(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -14882,11 +14882,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_CONST (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -15885,11 +15885,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_TMP (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -16849,11 +16849,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_VAR (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -17813,11 +17813,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_UNUSED (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -18079,11 +18079,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_obj_zval_ptr_ptr_unused(TSRMLS_C); - if (IS_UNUSED != IS_CV && !0) { + if (object_ptr && IS_UNUSED != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_UNUSED_CV (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -20495,11 +20495,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_CONST(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -21971,11 +21971,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_TMP(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -23451,11 +23451,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_VAR(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -24734,11 +24734,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_UNUSED (binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; @@ -25402,11 +25402,11 @@ case ZEND_ASSIGN_DIM: { zval **object_ptr = _get_zval_ptr_ptr_cv(&opline->op1, EX(Ts), BP_VAR_W TSRMLS_CC); - if (IS_CV != IS_CV && !0) { + if (object_ptr && IS_CV != IS_CV && !0) { (*object_ptr)->refcount++; /* undo the effect of get_obj_zval_ptr_ptr() */ } - if (Z_TYPE_PP(object_ptr) == IS_OBJECT) { + if (object_ptr && Z_TYPE_PP(object_ptr) == IS_OBJECT) { return zend_binary_assign_op_obj_helper_SPEC_CV_CV(binary_op, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU); } else { zend_op *op_data = opline+1; - Shire shire@facebook.com shire@php.net