diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/tests/bug70912.phpt | 10 | ||||
| -rw-r--r-- | Zend/zend_compile.c | 7 |
3 files changed, 17 insertions, 2 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2015, PHP 7.0.1 - Core: + . Fixed bug #70912 (Null ptr dereference instantiating class with invalid + array property). (Laruence) . Fixed bug #70898, #70895 (null ptr deref and segfault with crafted callable). (Anatol, Laruence) diff --git a/Zend/tests/bug70912.phpt b/Zend/tests/bug70912.phpt new file mode 100644 index 0000000000..3d6d4303a6 --- /dev/null +++ b/Zend/tests/bug70912.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #70912 (Null ptr dereference when class property is initialised to a dereferenced value) +--FILE-- +<?php +class A { + public $a=[][]; +} +?> +--EXPECTF-- +Fatal error: Cannot use [] for reading in %sbug70912.php on line %d diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 7044b6b945..75e484f1dd 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -7381,12 +7381,15 @@ void zend_eval_const_expr(zend_ast **ast_ptr) /* {{{ */ case ZEND_AST_DIM: { /* constant expression should be always read context ... */ - zval *container, *dim; + if (ast->child[1] == NULL) { + zend_error_noreturn(E_COMPILE_ERROR, "Cannot use [] for reading"); + } + zend_eval_const_expr(&ast->child[0]); zend_eval_const_expr(&ast->child[1]); - if (!ast->child[0] || !ast->child[1] || ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) { + if (ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) { return; } |