Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

2024-09-21 09:57:23 +00:00 · 2015-11-13 21:01:11 +08:00 · 2015-11-13 21:01:11 +08:00 · 25de928df7
commit 25de928df7
parent a03786f773
3 changed files with 17 additions and 2 deletions
--- a/2
+++ b/2
@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2015, PHP 7.0.1

 - Core:
+  . Fixed bug #70912 (Null ptr dereference instantiating class with invalid
+    array property). (Laruence)
  . Fixed bug #70898, #70895 (null ptr deref and segfault with crafted callable).
    (Anatol, Laruence)

--- a/Zend/tests/bug70912.phpt
+++ b/Zend/tests/bug70912.phpt
@ -0,0 +1,10 @@
+--TEST--
+Bug #70912 (Null ptr dereference when class property is initialised to a dereferenced value)
+--FILE--
+<?php
+class A {
+	public $a=[][];
+}
+?>
+--EXPECTF--
+Fatal error: Cannot use [] for reading in %sbug70912.php on line %d
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@ -7381,12 +7381,15 @@ void zend_eval_const_expr(zend_ast **ast_ptr) /* {{{ */
 		case ZEND_AST_DIM:
 		{
 			/* constant expression should be always read context ... */
-
 			zval *container, *dim;

+			if (ast->child[1] == NULL) {
+				zend_error_noreturn(E_COMPILE_ERROR, "Cannot use [] for reading");
+			}
+
 			zend_eval_const_expr(&ast->child[0]);
 			zend_eval_const_expr(&ast->child[1]);
-			if (!ast->child[0] || !ast->child[1] || ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
+			if (ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
 				return;
 			}