1 # Source: upstream |
|
2 # http://git.php.net/?p=php-src.git;a=commitdiff;h=f57cb13c566613eec0e1c2f6d96d18565436a9b7 |
|
3 # https://bugs.php.net/bug.php?id=70083 |
|
4 # Security |
|
5 |
|
6 From f57cb13c566613eec0e1c2f6d96d18565436a9b7 Mon Sep 17 00:00:00 2001 |
|
7 From: Bob Weinand <[email protected]> |
|
8 Date: Wed, 15 Jul 2015 22:46:53 +0200 |
|
9 Subject: [PATCH] Backport fix for bug #70083 to PHP-5.6 |
|
10 |
|
11 --- |
|
12 Zend/zend_vm_def.h | 7 ++++--- |
|
13 Zend/zend_vm_execute.h | 28 ++++++++++++++++------------ |
|
14 2 files changed, 20 insertions(+), 15 deletions(-) |
|
15 |
|
16 diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h |
|
17 index 11f6205..7bfa814 100644 |
|
18 --- a/Zend/zend_vm_def.h |
|
19 +++ b/Zend/zend_vm_def.h |
|
20 @@ -1774,6 +1774,10 @@ ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV) |
|
21 SAVE_OPLINE(); |
|
22 value_ptr_ptr = GET_OP2_ZVAL_PTR_PTR(BP_VAR_W); |
|
23 |
|
24 + if (OP1_TYPE == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
25 + zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
26 + } |
|
27 + |
|
28 if (OP2_TYPE == IS_VAR && |
|
29 value_ptr_ptr && |
|
30 !Z_ISREF_PP(value_ptr_ptr) && |
|
31 @@ -1791,9 +1795,6 @@ ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV) |
|
32 } else if (OP2_TYPE == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { |
|
33 PZVAL_LOCK(*value_ptr_ptr); |
|
34 } |
|
35 - if (OP1_TYPE == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
36 - zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
37 - } |
|
38 |
|
39 variable_ptr_ptr = GET_OP1_ZVAL_PTR_PTR(BP_VAR_W); |
|
40 if ((OP2_TYPE == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || |
|
41 diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h |
|
42 index 5ed4135..07b9abc 100644 |
|
43 --- a/Zend/zend_vm_execute.h |
|
44 +++ b/Zend/zend_vm_execute.h |
|
45 @@ -20331,6 +20331,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDL |
|
46 SAVE_OPLINE(); |
|
47 value_ptr_ptr = _get_zval_ptr_ptr_var(opline->op2.var, execute_data, &free_op2 TSRMLS_CC); |
|
48 |
|
49 + if (IS_VAR == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
50 + zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
51 + } |
|
52 + |
|
53 if (IS_VAR == IS_VAR && |
|
54 value_ptr_ptr && |
|
55 !Z_ISREF_PP(value_ptr_ptr) && |
|
56 @@ -20348,9 +20352,6 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDL |
|
57 } else if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { |
|
58 PZVAL_LOCK(*value_ptr_ptr); |
|
59 } |
|
60 - if (IS_VAR == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
61 - zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
62 - } |
|
63 |
|
64 variable_ptr_ptr = _get_zval_ptr_ptr_var(opline->op1.var, execute_data, &free_op1 TSRMLS_CC); |
|
65 if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || |
|
66 @@ -23801,6 +23802,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLE |
|
67 SAVE_OPLINE(); |
|
68 value_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(execute_data, opline->op2.var TSRMLS_CC); |
|
69 |
|
70 + if (IS_VAR == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
71 + zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
72 + } |
|
73 + |
|
74 if (IS_CV == IS_VAR && |
|
75 value_ptr_ptr && |
|
76 !Z_ISREF_PP(value_ptr_ptr) && |
|
77 @@ -23818,9 +23823,6 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLE |
|
78 } else if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { |
|
79 PZVAL_LOCK(*value_ptr_ptr); |
|
80 } |
|
81 - if (IS_VAR == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
82 - zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
83 - } |
|
84 |
|
85 variable_ptr_ptr = _get_zval_ptr_ptr_var(opline->op1.var, execute_data, &free_op1 TSRMLS_CC); |
|
86 if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || |
|
87 @@ -37492,6 +37494,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLE |
|
88 SAVE_OPLINE(); |
|
89 value_ptr_ptr = _get_zval_ptr_ptr_var(opline->op2.var, execute_data, &free_op2 TSRMLS_CC); |
|
90 |
|
91 + if (IS_CV == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
92 + zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
93 + } |
|
94 + |
|
95 if (IS_VAR == IS_VAR && |
|
96 value_ptr_ptr && |
|
97 !Z_ISREF_PP(value_ptr_ptr) && |
|
98 @@ -37509,9 +37515,6 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLE |
|
99 } else if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { |
|
100 PZVAL_LOCK(*value_ptr_ptr); |
|
101 } |
|
102 - if (IS_CV == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
103 - zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
104 - } |
|
105 |
|
106 variable_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(execute_data, opline->op1.var TSRMLS_CC); |
|
107 if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || |
|
108 @@ -40675,6 +40678,10 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER |
|
109 SAVE_OPLINE(); |
|
110 value_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(execute_data, opline->op2.var TSRMLS_CC); |
|
111 |
|
112 + if (IS_CV == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
113 + zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
114 + } |
|
115 + |
|
116 if (IS_CV == IS_VAR && |
|
117 value_ptr_ptr && |
|
118 !Z_ISREF_PP(value_ptr_ptr) && |
|
119 @@ -40692,9 +40699,6 @@ static int ZEND_FASTCALL ZEND_ASSIGN_REF_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER |
|
120 } else if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) { |
|
121 PZVAL_LOCK(*value_ptr_ptr); |
|
122 } |
|
123 - if (IS_CV == IS_VAR && UNEXPECTED(EX_T(opline->op1.var).var.ptr_ptr == &EX_T(opline->op1.var).var.ptr)) { |
|
124 - zend_error_noreturn(E_ERROR, "Cannot assign by reference to overloaded object"); |
|
125 - } |
|
126 |
|
127 variable_ptr_ptr = _get_zval_ptr_ptr_cv_BP_VAR_W(execute_data, opline->op1.var TSRMLS_CC); |
|
128 if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) || |
|
129 -- |
|
130 2.1.4 |
|
131 |
|
132 |
|