Merge branch 'PHP-5.4' into PHP-5.5

2 files changed, 17 insertions, 3 deletions

diff --git a/Zend/tests/bug64578.phpt b/Zend/tests/bug64578.phpt
new file mode 100644
index 0000000000..73b3ec4f97
--- /dev/null
+++ b/Zend/tests/bug64578.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
+--FILE--
+<?php
+
+set_error_handler(function() { debug_backtrace(); });
+
+function x($s) { $s['a'] = 1; };
+$y = '1';
+x($y);
+print_r($y);
+--EXPECTF--
+1
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index b2d06238fa..a65f5331de 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1144,6 +1144,10 @@ convert_to_array:
 					zend_error_noreturn(E_ERROR, "[] operator not supported for strings");
 				}
 
+				if (type != BP_VAR_UNSET) {
+					SEPARATE_ZVAL_IF_NOT_REF(container_ptr);
+				}
+
 				if (Z_TYPE_P(dim) != IS_LONG) {
 
 					switch(Z_TYPE_P(dim)) {
@@ -1172,9 +1176,6 @@ convert_to_array:
 					convert_to_long(&tmp);
 					dim = &tmp;
 				}
-				if (type != BP_VAR_UNSET) {
-					SEPARATE_ZVAL_IF_NOT_REF(container_ptr);
-				}
 				container = *container_ptr;
 				result->str_offset.str = container;
 				PZVAL_LOCK(container);