Fixed bug #74954 (null deref and segfault in zend_generator_resume())

2024-09-21 18:07:23 +00:00 · 2017-07-22 11:14:00 +02:00 · 2017-07-22 11:14:00 +02:00 · bad5d0d6c5
commit bad5d0d6c5
parent e405ff59f9
3 changed files with 48 additions and 4 deletions
--- a/1
+++ b/1
@ -4,6 +4,7 @@ PHP                                                                        NEWS

 - Core:
  . Fixed bug #74947 (Segfault in scanner on INF number). (Laruence)
+  . Fixed bug #74954 (null deref and segfault in zend_generator_resume()). (Bob)

 - SimpleXML:
  . Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces).
--- a/Zend/tests/generators/bug74954.phpt
+++ b/Zend/tests/generators/bug74954.phpt
@ -0,0 +1,45 @@
+--TEST--
+Bug #74954 (crash after update of generator yielding from finished generator)
+--FILE--
+<?php
+
+function from() {
+        yield 1;
+        throw new Exception();
+}
+
+function gen($gen) {
+        try {
+                var_dump(yield from $gen);
+        } catch (Exception $e) { print "Caught exception!\n$e\n"; }
+}
+
+$gen = from();
+$gens[] = gen($gen);
+$gens[] = gen($gen);
+
+foreach ($gens as $g) {
+        $g->current();
+}
+
+do {
+        foreach ($gens as $i => $g) {
+                $g->next();
+        }
+} while($gens[0]->valid());
+
+?>
+--EXPECTF--
+Caught exception!
+Exception in %s:%d
+Stack trace:
+#0 %s(%d): from()
+#1 [internal function]: gen(Object(Generator))
+#2 %s(%d): Generator->next()
+#3 {main}
+Caught exception!
+ClosedGeneratorException: Generator yielded from aborted, no return value available in %s:%d
+Stack trace:
+#0 [internal function]: gen(Object(Generator))
+#1 %s(%d): Generator->next()
+#2 {main}
--- a/Zend/zend_generators.c
+++ b/Zend/zend_generators.c
@ -644,15 +644,13 @@ failure:

 ZEND_API void zend_generator_resume(zend_generator *orig_generator) /* {{{ */
 {
-	zend_generator *generator;
+	zend_generator *generator = zend_generator_get_current(orig_generator);

 	/* The generator is already closed, thus can't resume */
-	if (UNEXPECTED(!orig_generator->execute_data)) {
+	if (UNEXPECTED(!generator->execute_data)) {
 		return;
 	}

-	generator = zend_generator_get_current(orig_generator);
-
 try_again:
 	if (generator->flags & ZEND_GENERATOR_CURRENTLY_RUNNING) {
 		zend_throw_error(NULL, "Cannot resume an already running generator");